I'm tracking the usage of the DomainAdmin account and monitoring which users had an active logon session on the server from where DomainAdmin logged in. Here's the query I'm currently using:
(event_simpleName=UserLogoff OR event_simpleName=UserLogon) LogonType_decimal IN (2,10) UserName!=DomainAdmin
[ search event_simpleName=UserLogon UserName="DomainAdmin" LogonType_decimal IN (2,10)
| eval LocalAddressIP4=if(RemoteAddressIP4="127.0.0.1",LocalAddressIP4,RemoteAddressIP4)
| fields LocalAddressIP4
]
| sort -Time | dedup ComputerName,UserName,event_simpleName
| eval LogonTimestamp=if(match(event_simpleName,"UserLogon"), timestamp, null())
| eval LogoffTimestamp=if(match(event_simpleName,"UserLogoff"), timestamp, null())
| selfjoin overwrite=true keepsingle=true UserName, ComputerName
| where LogonTimestamp > LogoffTimestamp OR isnull(LogoffTimestamp)
Issues I need help with:
- If
DomainAdminlogs onto multiple servers during the search timeframe, there is no way to tell which UserSession corresponds to what DomainAdmin logon. - There is no way to limit the UserLogon search only to the timeframe before DomainAdmin logon.
How could I join fields timestamp and ComputerName (both renamed, so they don't conflict with main search) from subsearch results into main search events (without actually searching on them)?
Join function might be able to do it, but there are just too many UserLogon/UserLogoff events to go through without first limiting the scope with the subsearch by searchinf only for DomainAdmin account.
I explored several other functions in an attempt to achieve the desired result, but none of them yielded the data I was looking for.
