Skip to main content
Lantern Home

 

Splunk Lantern

Monitoring mandatory time away (MTA) with the Splunk platform

  1. Last updated
  2. Save as PDF

 

Enforcing mandatory time away (MTA) policies is essential to safeguard employee well-being while preventing internal risks, such as unauthorized access and fraud.

Imagine an employee bypassing mandatory time away by maintaining continuous access to critical systems for extended periods. This behavior might lead to unnoticed fraudulent activities—such as unauthorized transactions or data manipulation—while also increasing the risk of errors due to fatigue. The absence of enforced breaks can compromise internal controls and expose the institution to significant operational and reputational risks.

MTA policies require employees to take scheduled breaks or time off to prevent burnout and reduce the risk of internal fraud. In banking, where continuous access to sensitive systems can lead to vulnerabilities, these policies form a critical line of defense. Without enforced breaks, prolonged work periods may create opportunities for unauthorized activities or mask signs of internal misuse.

With the Splunk platform, banks can gain unprecedented visibility into employee activity, ensuring that policies are adhered to and compliance requirements are met.

  • Some commands, parameters, and field names in the searches below might need to be adjusted to match your environment.
  • Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.

Data required

How to use the Splunk platform for this use case

  • Integrating the Splunk platform for comprehensive monitoring: The Splunk platform aggregates data from multiple sources—workstations, access management systems, and HR records—into a single comprehensive view of employee activity. By ingesting data such as login times, logout events, and session durations, the Splunk platform can correlate this information against scheduled break periods and mandated time away policies, laying the foundation for continuous monitoring and proactive detection of policy deviations.
  • Real-time analytics and alerting: The Splunk platform has powerful real-time analytics capabilities that allow banks to set up dashboards that display employee activity patterns and automatically flag anomalies. For example, if an employee’s session extends far beyond their scheduled working hours without a break, the Splunk platform can trigger an immediate alert for further investigation. Additionally, machine learning models within the Splunk platform can analyze historical trends and predict potential policy violations before they escalate.
  • Automated compliance reporting: Automated reporting is a crucial feature for maintaining compliance. Reporting tools in the Splunk platform generate detailed logs and visualizations that provide insights into employee activity over time. These reports support internal audits by offering historical context and a clear record of adherence to mandatory time away policies. The ability to quickly produce these reports streamlines regulatory reviews and reinforces the institution’s commitment to internal controls and operational integrity.

There are many searches you can run with Splunk software to detect mandatory time away compliance. You can use these searches:

► Employee activity monitoring dashboard

Create a search to review employee logins and logouts, display session durations, and identify extended periods of continuous activity.

Run the following search:

index=security sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4634)
| eval event=if(EventCode==4624, "Login", "Logout")
| stats min(_time) AS firstEvent, max(_time) AS lastEvent BY user
| eval session_duration = lastEvent - firstEvent
| where session_duration > 0
| table user, firstEvent, lastEvent, session_duration

Deploy this search to create a dashboard to monitor when a user’s session exceeds expected durations, helping to quickly identify potential violations of mandatory break policies.

► Extended session alert

Create an alert when an employee’s session duration exceeds a predefined threshold (for example, an 8-hour shift without a break).

Run the following search:

index=security sourcetype="WinEventLog:Security" EventCode=4624
| stats earliest(_time) AS startTime BY user
| join type=left user
[ search index=security sourcetype="WinEventLog:Security" EventCode=4634 
| stats latest(_time) AS logoutTime BY user ] 
| eval session_duration = if(isnull(logoutTime), now()-startTime, logoutTime - startTime) 
| where session_duration > (8*3600)
| table user, startTime, logoutTime, session_duration

Configure this search as a scheduled alert to notify security or compliance teams of any session that might indicate a missed mandatory break, prompting immediate investigation.

► HR data integration for scheduled breaks

Integrate HR data (for example, scheduled break times) using a lookup file to compare against actual system activity and flag policy violations.

Run the following search:

index=security sourcetype="employee_activity"
| lookup hr_schedule user OUTPUT scheduled_break_start, scheduled_break_end
| eval violation = if(_time >= scheduled_break_start AND _time <= scheduled_break_end, "Violation", "Compliant")
| search violation="Violation"
| table user, _time, violation

This query correlates login data with HR-defined break schedules to automatically highlight instances where employees remain active during their mandatory break times.

You can also use the Splunk Machine Learning Toolkit to build a model that learns normal employee activity patterns and detects anomalies—such as unusually long continuous sessions—that might indicate policy violations.

► Detecting anomalies with the Splunk Machine Learning Toolkit

Run the following search using the DensityFunction provided by Splunk MLTK.

| tstats count where index=security BY _time, user
| timechart span=1h sum(count) AS activityCount BY user
| fit DensityFunction activityCount into model
| apply model
| where probability < 0.05

This search trains a model on typical hourly activity counts for each user, then flags sessions with low probability (statistically anomalous behavior), providing a dynamic and data-driven approach to detecting compliance issues.

After training a model, you can develop correlation searches that compare multiple data sources (such as workstation logs, network access logs, or HR schedules) to identify continuous activity patterns that violate mandatory time away policies. The approach you'll need to take should look like:
  • Step 1: Aggregate employee activity logs.
  • Step 2: Join with HR schedule data to obtain expected break periods.
  • Step 3: Use conditional logic to flag sessions with no recorded break within the expected window.
  • Step 4: Generate alerts and visualizations based on these correlations.

Tailor this comprehensive search to different departments or shifts, providing context for investigations by combining system data with HR records.

Next steps

  • Pilot and validate: Begin with a pilot project to test the monitoring and alerting capabilities in a controlled environment. Collaborate with IT, HR, and compliance teams to establish baseline activity patterns and define alert thresholds. The pilot phase will allow you to refine the solution, ensuring it effectively captures and responds to policy deviations without generating excessive false positives.
  • Customization and integration: Integrate the Splunk platform with existing HR systems and access control mechanisms to achieve a seamless flow of data. Customize dashboards and reports to align with your institution’s specific compliance requirements and operational practices. This tailored approach ensures that the monitoring solution is fully embedded within your organization’s existing security framework.
  • Training and ongoing optimization: Invest in comprehensive training for security and compliance personnel on how to interpret Splunk data related to employee activity. Host workshops and create user guides outlining best practices for monitoring and investigating potential policy breaches. Establish a continuous improvement process to periodically review and update the system, adapting machine learning models and alert criteria as employee behavior patterns and regulatory requirements evolve.
  • Expanding your detection capabilities: As you refine your monitoring strategy, further enhance your use cases with additional Splunk solutions tailored for the financial services industry. The Splunk Essentials for the Financial Services Industry app automates searches to detect financial crime, offering valuable insights into how these searches operate, their difficulty level, and the key data required for success.

Splunk Essentials for the Financial Services Industry specifically addresses challenges such as:

Additionally, the Splunk App for Fraud Analytics provides a suite of advanced fraud detection solutions, covering critical areas like account takeover and new account abuse. Integrating these apps with your existing framework will not only bolster your internal compliance but also streamline your approach to combating financial crime.

Finally, these resources might help you understand and implement this guidance: