Getting Data In

need to check for if accounts are disabled or not

deepak007
Explorer

I have an excel sheet of 200 user's id of our organization only, need to verify in Splunk for the disabled accounts.

Tags (2)
0 Karma

acharlieh
Influencer

Log analysis through Splunk does not seem like the correct approach to answering to the question of if accounts are currently disabled or not... instead you should be looking at the source of truth that maintains the accounts and seeing the state of the accounts. (Now if you were asking when accounts were disabled and by whom, then Splunk is your tool, assuming you're capturing and retaining those audit logs for long enough).

With windows systems in a reasonably sized organization, i would guess your accounts are maintained in an Active Directory domain. To answer your question we'll need to query the state of those objects in AD, which doing so in bulk the best way is through LDAP queries.. if you absolutely need to keep results in Splunk, then SA-ldapsearch will help here, but honestly I would rather use the ldapsearch CLI utility from OpenLDAP, or if you prefer a GUI to perform LDAP searches, I'd recommend Apache Directory Studio.

Now to build your LDAP Search. Often, when people say they have a userid for a domain account, they often mean that they have a list of
SAMAccountNames. But it could be other naming attributes, or even email address. Whichever attribute it is, you'll then build an OR list of them in your LDAP filter to find all of the accounts based on these identifiers... Something like:

(|
   (samaccountname=firstusername)
   (samaccountname=secondusername)
   ...
   (samaccountname=lastusername)
)

Which while I'm writing on multiple lines for clarity I should note that could be collapsed into a single line just as easily thanks to the parenthesis being groupers and delineators.

Next the question is which of these accounts are disabled, and which are enabled, and to answer this in Active Directory you'll need to be familiar with the userAccountControl attribute. This is a bit flag of statuses of the user accounts in AD... including if the account is disabled or not. Knowing that the 2 bit is the flag for the account being disabled or not...we could just download this attribute with our previous filter, and sort it out... But knowing that there are bitwise search operators for LDAP filters, we can actually build upon our previous filter with two different searches to answer that question for us from LDAP.

To get the set of accounts that are disabled (where the disabled flag is set... we need an AND filter with our previous query... like so:

(&
  (userAccountControl:1.2.840.113556.1.4.803:=2)
  (|(samaccountname=firstusername)...)
)

And to get the set of accounts that are not disabled, we add a NOT filter around our check for the 2 bit on the user account control.

(&
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (|(samaccountname=firstusername)...)
)

And if an account is returned by neither search, then it's not in Active Directory anymore.

I hope this gives you an idea of how to do such, and I hope I've impressed upon you the need to use the right tool for the question you're trying to answer (and that Splunk may not be the answer all the time!). If you're not using Active Directory at your organization, then the steps will vary, but the general idea is similar: Look up the account status in the source of truth for the accounts, don't rely on the set of captured logs to tell you the current status.

HiroshiSatoh
Champion

Try this!
※Change the account to the actual field name.

|inputlookup  lookup_filename|eval status="lookup"|table account,status
|append 
        [search sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
              |dedup account|eval status="Disabled OR Delete"|table account,status]
|stats list(status) as status by account

status:"lookup"⇒A valid account
status:"lookup" AND "Disabled OR Delete"⇒Invalidated account
status:"Disabled OR Delete"⇒Account not present in lookup

0 Karma

deepak007
Explorer

I tried
|inputlookup passwordstatedisabled |eval status="lookup"|table user,status
|append
[search sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
|dedup user|eval status="Disabled OR Delete"|table user,status]
|stats list(status) as status by user

but I guess It is showing me the disabled user in our organization, not comparing the user's present in the lookupfile, however the user prensent in the csv file is

awasw
bamrb
baspa
batah
batrg
beene

like the above

0 Karma

deepak007
Explorer

I guess my lookup file dont have any data, i tried checking my lookup file, and it showing no data, is there any other format to save the data in lookup file

0 Karma

HiroshiSatoh
Champion

Is there a CSV file format?
The character code is UTF8. You can change it with Notepad.

user
awasw
bamrb
baspa
batah
batrg
beene

Import the lookup file from the GUI.

0 Karma

deepak007
Explorer

I did it from notepad as well, its still not taking the data, I guess something wrong with my lookup only

0 Karma

HiroshiSatoh
Champion

Can you add ".csv" to the lookup file when creating it?
passwordstatedisabled ⇒ passwordstatedisabled .csv

0 Karma

deepak007
Explorer

Yes, I did add both .csv and .txt file with a bit different name.
It uploaded through the GUI, I give permission to all the application with read and right rights and shared.
when I tried pivot that files its showing no data, m not sure why
using it in inputlookup is also not working the search gives me all the other disabled accounts but not he one present in my list

0 Karma

HiroshiSatoh
Champion

Does it work if each runs?

|inputlookup filename.csv |eval status="lookup"|table user,status

index=(your index) sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)|dedup user|eval status="Disabled OR Delete"|table user,status
0 Karma

deepak007
Explorer

I have added that file to the lookup, can anyone suggest if I am doing wrong

0 Karma

HiroshiSatoh
Champion

Activation and deactivation of accounts can be understood only by the system that manages the account.

What do you really want to check? Is there an account use?

0 Karma

deepak007
Explorer

I have a list of 200 accounts, want to check that accounts are disabled in system or not via splunk

0 Karma

HiroshiSatoh
Champion

The information of the splunk user can be obtained by the following search sentence. However, Splunk users have no validity or invalidity.

|rest /services/authentication/users splunk_server=local
0 Karma

deepak007
Explorer

I was not looking for the splunk user's, was looking for the organization user's
the exact scenario is
Somebody gave me 200 user's account list of our organization, I need to verify through Winlogsecurity logs that these accounts are disabled or not.

0 Karma

HiroshiSatoh
Champion

If you have acquired the event log, please search by event ID. Log of invalid or deleted account.

4725 User account has been disabled.
4726 User account has been deleted.

You can verify this with a lookup file.

0 Karma

deepak007
Explorer

that is what I wanted to know.
means I am not getting the exact query to detect the same

sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
I have added the csv file into lookup with disableuser name of lookup file

can you please help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...