Rule to get alert on more than one windows session of the same user?

[shahmilan34]

If user is already logged in and an attempt made to logon to same user from different ip then need to send alert.

[sergiospa]

Hi shahmilan32,

Unfortunately, Windows events doesn't provide enough information to determine the logon attempt was produced while a session was still open for that user. Wazuh is limited to the logs received from its agents and the correlation engine is not able to determine if a session for that user was open or not when the second login happens.

Windows sends Logon and Logoff when a session is opened or closed, and it generates several events for the same logon with different Event ID.

This screenshot corresponds to the event you describe. As you can see, there is no event that indicates a double session was open for the same user.

Wazuh process each one of those events separatedly, and can keep track of them during certain time. But it is not possible to achive the behaviour you request using the ruleset.

We're sorry we can't provide you help with your use case.

Best regards, Sergio.

[shahmilan34]

Using windows AD 2012 can we configure in AD to run scipt or write log to file on user multiple session?