Getting Data In

How can I find AD accounts that haven't been used for a specified time period?

rodiers01
New Member

Query that can tell me non-disabled active directory accounts that have not been used in 12 or more weeks?

All in the title. I'm looking to run a query that can give me this data. Thanks all.

0 Karma

jkat54
SplunkTrust
SplunkTrust
 index=activedirectory | stats latest(login) as latest by user | where latest<now()-7776000 AND active=true

Assuming you have an index called activedirectory with events containing fields called user, login and active.

Of course you didn't say you have data like this, I just had to guess at what you've got 😉

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!