I’m using Splunk to try to detect multiple Windows login sessions by a single user, as an indicator of compromise. However, I’m not sure how to go about this – I can ingest workstation logs (events 4624/4634) and look for a large discrepancy between logins and logouts (indicating a high number of sessions) in the workstation logs, but there’s a few problems.
First, a discrepancy between logins and logouts does not necessarily indicate compromise, it’s (relatively) normal for a user to be logged in to multiple devices at once. Secondly, login/logout events are generated for a user unlocking their computer, but are not generated for a user locking/sleeping their machine.
Is there an elegant solution for this? Even if there isn’t – is there an agreed-upon list of Windows event IDs I should track to develop a better picture of high login sessions? Thanks!