I have a use case where I need to log privileged user activity in Windows.
I have setup a stream for privileged user logons. Now I need to save the Logon ID from these events (it is extracted in a field), and log all subsequent events with the same Logon ID. The Logon ID is created and assigned randomly at logon time, and lasts until the account logs off. All account activity has that Logon ID embedded somewhere in the event.
Scenario is as follows:
- Identify (done via stream) and save the Logon ID of a privileged account (How?) at logon time.
- Look for all subsequent security audit events that have the Logon ID field with the value saved in Step 1. How?
- Stop processing when the account logs off (Logoff event with the same Logon ID as in step 1).
All the events with that logon ID constitute a session to track automatically.
Can this be done with pipelines? I know pipelines allow searches for information within an event, but not across events. Is my understanding of pipelines correct?