User Logon / Session Duration

The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment).

Windows 2008 and newer:
source=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 endswith=EventCode=4634 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, user, LogonType duration, Date | rename duration as "Session Duration in Minutes" | sort - date

Windows 2003 and before:
source=WinEventLog:Security (EventCode=528 OR EventCode=538) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d") | eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host User startswith=EventCode=528 endswith=EventCode=538 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, User, LogonType, duration, Date | rename duration as "Session Duration in Minutes" | sort - date

#Admin Edit 12/17/2018 (fixed sourcetype and changed it to source…queries should work again).

Splunk Query Repository

User Logon / Session Duration

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)