employee was terminated and we would like to fire an event when we see the user log on to any systems.
hello there,
the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user
maybe Account_Name
or username
or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases
for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal
hope it helps
hello there,
the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user
maybe Account_Name
or username
or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases
for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal
hope it helps
What type of logs are you bringing into Splunk?
For Windows Security Logs, you would want to look for EventCode 4624 (Successful log on) & EventCode 4625 (failed login) for the user in question. If you don't care about attempts, you can leave out 4625.
If you have VPN solution, you should check those logs as well.
Create your search and then schedule an alert. Trigger on anything greater than 0