- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for login activity from terminated/d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search for login activity from terminated/disabled users
I receive a weekly report on terminated users and I’m trying to create a search that will identify events/domain activity from the associated accounts, which will help catch any that haven’t been disabled or potentially malicious activity.
My thinking was to use the inputlookup function to ingest the terminated users and their last working day, then searching for successful login events (EventCode=4624) from our domain controllers after that date.
Here’s an example of my leavers_list.csv file:
user lastday
john.snow 22/04/2019
arya.stark 20/03/2019
And here’s what I tried:
| inputlookup leavers_list.csv | fields user lastday
| eval lastday=strptime(lastday, "%-d/%-m/%Y")
| search index=wineventlog user=* EventCode=4624 | where _time > lastday
I’ve used some test data in my input file which should have returned results, but I’m not getting anything back. I’m now convinced I’m going about this the wrong way. I know what I’m trying to do but failing pretty hard!
Any guidance is greatly appreciated!
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ryanisibor,
Always start your search with the bigger set of data and apply the smaller set as a filer. So try something like this for getting people that have already left the company and are logging in to windows infrastructure :
index=wineventlog EventCode=4624 [| inputlookup leavers_list.csv|return 0 user]
Since the list already contains everyone that left, any recent match to the list could be a security alert since it's a recent authentication of a person that shouldn't be here. This is exactly what the search above does, using the list of leavers as a filter for your search.
You can then use another lookup afterwards to get the exact departure date and run some stats on the search.
index=wineventlog EventCode=4624 [| inputlookup leavers_list.csv|return 0 user] | lookup user leavers_list.csv | stats whateverisneeded
Let me know how that works out for you.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you put your Major Search (i.e. search of wineventLog) later, it will be performance bottleneck. So try putting it at start itself and do a lookup of your leavers file.
Also, try putting the host=SomeDomainController* ,it will improve the search quite bit
Try like below
index=wineventlog host=<someADServers> EventCode=4624 [|inputlookup leavers_list.csv| dedup user| fields user]
| stats latest(_time) as lastActivityTime by user
| lookup leavers_list.csv user OUTPUT lastday
| eval lastday=strptime(lastday, "%d/%m/%Y")
| where lastActivityTime > lastday
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
