Archive

Need help in create a search to detect malicious activity from a terminated employee

Ghanayem1974
Path Finder

employee was terminated and we would like to fire an event when we see the user log on to any systems.

Tags (1)
0 Karma
1 Solution

adonio
SplunkTrust
SplunkTrust

hello there,

the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user maybe Account_Name or username or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal

hope it helps

View solution in original post

0 Karma

adonio
SplunkTrust
SplunkTrust

hello there,

the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user maybe Account_Name or username or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal

hope it helps

View solution in original post

0 Karma

jdhunter
Path Finder

What type of logs are you bringing into Splunk?

For Windows Security Logs, you would want to look for EventCode 4624 (Successful log on) & EventCode 4625 (failed login) for the user in question. If you don't care about attempts, you can leave out 4625.

If you have VPN solution, you should check those logs as well.

Create your search and then schedule an alert. Trigger on anything greater than 0

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!