Skip to main content
Splunk Lantern

Baseline of user logon times

You might want to have to have a baseline of user logon behavior when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You want to create a baseline of user logon times so that you can monitor for outliers. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Set the search time range picker to the Last 30 days. You can change this based on your circumstances, but 30 days usually makes a good baseline.
  2. Run the following search: 
sourcetype=WinEventLog:Security EventCode=4624
| eventstats avg("_time") AS avg stdev("_time") AS stdev 
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)
| table _time body isOutlier

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

EventCode=4624
 

Return successful local computer logon events.

| eventstats avg("_time") AS avg stdev("_time") AS stdev 

Calculate the average and the standard deviation of logon times and name those results avg and stdev.

| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))

Calculate a lower bound for your baseline by subtracting the standard deviation times 2 from the average. Calculate an upper bound for your baseline by adding the standard deviation times 2 to the average.

| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)

Create an isOutlier field that returns a result of 1 if the time of a logon is outside the calculated lower or upper bound. Return a value of 1 if true and 0 if false. 

| table _time body isOutlier

Display the results in a table with columns in the order shown. The body field describes the logon event.

Result

You can sort or filter the results to see the outliers, and then use the information provided in the body field to investigate further.

  • Was this article helpful?