Splunk Enterprise Security

Splunk Expired account activity

kiran331
Builder

Hi

What should be defined in Assets & identities data model for the expired accounts, right now in the data model its is defined as endDate=*, its considering all as expired accounts.

0 Karma

simon_lavigne
Path Finder

I had a similar issue where accounts set to "never" expire generated an expired account activity alert because as illustrated by jstoner above, the Expired Identities object matches all values.

Instead of changing the data model I set endDate to a null value where accountExpires=(never)

| eval endDate=if(accountExpires="(never)","",accountExpires)

rich7177 has a good example of an ldap search that exports nicely to ES here.
https://answers.splunk.com/answers/400373/how-to-speed-up-ldap-active-directory-searches-spe.html

jstoner_splunk
Splunk Employee
Splunk Employee

The way the Expired Identities object works in the Asset & Identities data model really looks like this:

|identities |search endDate=*

The identity returns a list of identities, but the endDate=* will just return individuals who have a value in the end date. The expected value for end date is a time and would generally be a time that has already passed.

kiran331
Builder

What should be changed to make this work as expected? so the Correlation search "Account activity for expired accounts" will work.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Do all of your identities of end dates in them? If an identity endDate value is null, these identities don't get returned in the above search.

The way I would interpret the search is that the only people who should have end dates would be people who have left the organization and I put the end date in at their termination/departure. At that point, I can then search for folks who have an end date and this would allow me to trigger on expired accounts in that manner.

If all your identities have end dates, some in the past, some in the future, we might have to look at changing things a bit to accommodate the data already populated. You could make that change at the data model level and say something like |identities |search endDate

0 Karma

kiran331
Builder

Not all Identities has End dates.But we do have some identities having end dates(past&future). Right now it is considering all as expired accounts event the end date is in future.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Right, I suspected that based on your comments. Based on that, you may want to look at modifying the data model that treats expired identities as endDate=* and instead change this to be endDate

0 Karma

kiran331
Builder

Yes, I have to change the Data model. What should Place in there instead of endDate=*

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

sorry it cut it off in my response. Can you try endDate 'less than sign' time

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...