I receive a weekly report on terminated users and I’m trying to create a search that will identify events/domain activity from the associated accounts, which will help catch any that haven’t been disabled or potentially malicious activity.
My thinking was to use the inputlookup function to ingest the terminated users and their last working day, then searching for successful login events (EventCode=4624) from our domain controllers after that date.
Here’s an example of my leavers_list.csv file:
user lastday
john.snow 22/04/2019
arya.stark 20/03/2019
And here’s what I tried:
| inputlookup leavers_list.csv | fields user lastday
| eval lastday=strptime(lastday, "%-d/%-m/%Y")
| search index=wineventlog user=* EventCode=4624 | where _time > lastday
I’ve used some test data in my input file which should have returned results, but I’m not getting anything back. I’m now convinced I’m going about this the wrong way. I know what I’m trying to do but failing pretty hard!
Any guidance is greatly appreciated!
Thanks
... View more