Security

disabled user activity

108246
New Member

Hello

I'm looking for suggestions on a rule for : showing activity from a disabled user account.

The following rule is what i have created, let me know if you think it can be tweaked or other any other query which you think does the job best.

signature="Account is currently disabled" Workstation_Name!=XXXXXXX | table _time,user,signature,Workstation_Name,EventCode

Regards
Arun

Tags (1)
0 Karma

ben_leung
Builder

Maybe you can use index=_* user=* action="login attempt", and from there narrow down what you want with inactive or disabled user accounts. There are other values in action that could benefit what you want. Hope this helps.

0 Karma

108246
New Member

Thanks Ben

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...