I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication.
index=main (eventtype=logon_activity OR eventtype=wineventlog_security OR eventtype=wineventlog_system)
In windows logs, I can use Logon_id to track sessions, but need to find out the age/delta time which is more than 30mins.
Any suggestions/thoughts? Thanks in advance.
↧