Security
Highlighted

disabled user activity

New Member

Hello

I'm looking for suggestions on a rule for : showing activity from a disabled user account.

The following rule is what i have created, let me know if you think it can be tweaked or other any other query which you think does the job best.

signature="Account is currently disabled" WorkstationName!=XXXXXXX | table _time,user,signature,WorkstationName,EventCode

Regards
Arun

Tags (1)
0 Karma
Highlighted

Re: disabled user activity

Builder

Maybe you can use index=_* user=* action="login attempt", and from there narrow down what you want with inactive or disabled user accounts. There are other values in action that could benefit what you want. Hope this helps.

0 Karma
Highlighted

Re: disabled user activity

New Member

Thanks Ben

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.