All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: What are the parameters for UNUSED user accounts report?

grambo271
Explorer
‎09-26-2014 10:24 AM

Greetings,
I am using the Splunk App for Windows Infrastructure. In the Active Directory portion there is a report specifically for UNUSED user accounts (Active Directory\Users\User Reports\Unused). I was wondering if anyone happens to know what the variable is on that report to denote an unused account? Is it that the user has not logged in within 30 days, 90 days, 6 months or ever? I'd like to initiate cleanup of these accounts but want to make sure I have all the right information/understanding.

Thanks in advance

0 Karma
Reply

malmoore
Splunk Employee
Splunk Employee
‎01-28-2015 07:11 PM

The Windows Infrastructure app defines an "Unused user account" as an account whose logon count is 0, meaning that they have never logged on.

The search against the domain happens when you load the page and select the desired domain (which should be present if you've configured the app correctly.)

0 Karma
Reply

darlas
Communicator
‎01-29-2015 09:39 AM

Thanks malmoore.

To clarify then how this works: does the app has a list of users and looks for the existence of Windows login events for those users. If none found for a given user then they are considered an "Unused user account". Where does this list of users come from? How can I see what list of users is being used? (Professional Services set this up for us so I am missing some of the details 😞 )

Or does the app look at some attribute in AD, like lastLogon, for all users to see which users do NOT have a value in the attribute?

Thanks for helping me understand!

0 Karma
Reply

darlas
Communicator
‎01-28-2015 01:57 PM

I'd be interested in knowing this as well 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...