Skip to main content
Splunk Lantern

Baseline of user logon times

 

You want to create a baseline of user logon times so that you can monitor for outliers. 

Data required

Windows event logs

Procedure

  1. Set the search time range picker to the Last 30 days. You can change this based on your circumstances, but 30 days usually makes a good baseline.
  2. Run the following search. You can optimize it by specifying an index.
sourcetype=WinEventLog:Security EventCode=4624
| eventstats avg("_time") AS avg stdev("_time") AS stdev 
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)
| table _time body isOutlier

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

EventCode=4624
 

Return successful local computer logon events.

| eventstats avg("_time") AS avg stdev("_time") AS stdev 

Calculate the average and the standard deviation of logon times and name those results avg and stdev.

| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))

Calculate a lower bound for your baseline by subtracting the standard deviation times 2 from the average. Calculate an upper bound for your baseline by adding the standard deviation times 2 to the average.

| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)

Create an isOutlier field that returns a result of 1 if the time of a logon is outside the calculated lower or upper bound. Return a value of 1 if true and 0 if false. 

| table _time body isOutlier

Display the results in a table with columns in the order shown. The body field describes the logon event.

Next steps

You can sort or filter the results to see the outliers, and then use the information provided in the body field to investigate further.

Finally, you might be interested in other processes associated with the Monitoring Windows account access and Creating a timebound picture of network activity use cases.