Baseline of user logon times
You want to create a baseline of user logon times so that you can monitor for outliers.
Data required
This use case uses event signatures data for Windows event logs, but you can adjust it for other types of user activity log data in use at your organization.
Procedure
- Set the search time range picker to the Last 30 days. You can change this based on your circumstances, but 30 days usually makes a good baseline.
- Run the following search. You can optimize it by specifying an index.
index=* sourcetype=WinEventLog:Security EventCode=4624
| eventstats avg("_time") AS avg stdev("_time") AS stdev
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)
| table _time body isOutlier
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search the appropriate index for Windows security event logs. |
|
|
Return successful local computer logon events. |
|
|
Calculate the average and the standard deviation of logon times and name those results avg and stdev. |
|
|
Calculate a lower bound for your baseline by subtracting the standard deviation times 2 from the average. Calculate an upper bound for your baseline by adding the standard deviation times 2 to the average. |
|
|
Create an |
|
|
Display the results in a table with columns in the order shown. The body field describes the logon event. |
Next steps
You can sort or filter the results to see the outliers, and then use the information provided in the body field to investigate further.
Finally, you might be interested in other processes associated with the Monitoring Windows account access and Creating a timebound picture of network activity use cases.