topic Re: Splunk Expired account activity in Splunk Enterprise Security

Splunk Expired account activity

kiran331 — Mon, 22 Aug 2016 17:00:30 GMT

What should be defined in Assets & identities data model for the expired accounts, right now in the data model its is defined as endDate=*, its considering all as expired accounts.

Re: Splunk Expired account activity

jstoner_splunk — Thu, 25 Aug 2016 15:51:38 GMT

The way the Expired Identities object works in the Asset & Identities data model really looks like this:

|identities |search endDate=*

The identity returns a list of identities, but the endDate=* will just return individuals who have a value in the end date. The expected value for end date is a time and would generally be a time that has already passed.

Re: Splunk Expired account activity

kiran331 — Mon, 29 Aug 2016 20:19:08 GMT

What should be changed to make this work as expected? so the Correlation search "Account activity for expired accounts" will work.

Re: Splunk Expired account activity

jstoner_splunk — Tue, 30 Aug 2016 00:45:25 GMT

Do all of your identities of end dates in them? If an identity endDate value is null, these identities don't get returned in the above search.

The way I would interpret the search is that the only people who should have end dates would be people who have left the organization and I put the end date in at their termination/departure. At that point, I can then search for folks who have an end date and this would allow me to trigger on expired accounts in that manner.

If all your identities have end dates, some in the past, some in the future, we might have to look at changing things a bit to accommodate the data already populated. You could make that change at the data model level and say something like |identities |search endDate

Re: Splunk Expired account activity

kiran331 — Wed, 31 Aug 2016 15:28:58 GMT

Not all Identities has End dates.But we do have some identities having end dates(past&future). Right now it is considering all as expired accounts event the end date is in future.

Re: Splunk Expired account activity

jstoner_splunk — Wed, 31 Aug 2016 15:31:52 GMT

Right, I suspected that based on your comments. Based on that, you may want to look at modifying the data model that treats expired identities as endDate=* and instead change this to be endDate

Re: Splunk Expired account activity

kiran331 — Wed, 31 Aug 2016 15:49:59 GMT

Yes, I have to change the Data model. What should Place in there instead of endDate=*

Re: Splunk Expired account activity

jstoner_splunk — Wed, 31 Aug 2016 15:51:24 GMT

sorry it cut it off in my response. Can you try endDate 'less than sign' time

Re: Splunk Expired account activity

simon_lavigne — Mon, 19 Sep 2016 02:01:58 GMT

I had a similar issue where accounts set to "never" expire generated an expired account activity alert because as illustrated by jstoner above, the Expired Identities object matches all values.

Instead of changing the data model I set endDate to a null value where accountExpires=(never)

| eval endDate=if(accountExpires="(never)","",accountExpires)

rich7177 has a good example of an ldap search that exports nicely to ES here.
https://answers.splunk.com/answers/400373/how-to-speed-up-ldap-active-directory-searches-spe.html