topic Re: Successful dormant user logins in Getting Data In

Successful dormant user logins

saurabh_tek — Sat, 08 Oct 2016 15:02:13 GMT

hello I am trying to write a query for Successful dormant user logins
whereas the user has successfully logged in today but in last 30 days there was no activity done by this same user.

Here is my query - (which needs refinement)

index=wineventlog EventCode=4624 user!="$" earliest= @d latest = now()| transaction user [search EventCode!=4624 user!="$" earliest=-2d latest=@d] | table _time, user

if anyone can help in getting this refined and do what is needed, that would be great help.

Re: Successful dormant user logins

saurabh_tek — Sat, 08 Oct 2016 19:09:43 GMT

okay. I have optimized it a little bit apparently ..

index=wineventlog EventCode=4624 user!="$" earliest= @d latest = now() | transaction user maxspan=60d search (EventCode!=)

looking for more suggestions.. to get this working what is intended

Re: Successful dormant user logins

saurabh_tek — Sat, 08 Oct 2016 19:10:42 GMT

okay. I have optimized it a little bit apparently ..

index=wineventlog EventCode=4624 user!=\"$\" earliest= @d latest = now() | transaction user maxspan=60d search (EventCode!=)

looking for more suggestions.. to get this working what is intended

Re: Successful dormant user logins

richgalloway — Sat, 08 Oct 2016 20:03:37 GMT

Perhaps this will help. The idea is to look at the last 30 days of successful logins and find the users that have signed in only once and that login was today.

index=wineventlog EventCode=4624 user!="$" earliest= -30d@d | stats count(_time) as Logins latest(_time) as LastLogin by user | where Logins=1 AND LastLogin>relative_time(now(),"@d") | ...

Re: Successful dormant user logins

saurabh_tek — Tue, 11 Oct 2016 20:52:08 GMT

Thanks for prompt support.
With earliest 30 days, it takes way too much time and showing lot of users with 1 logins, i dont think these many users accessing their dormant a/cs in our environment.