Security

search for temporary users in privileged groups

brandylee1993
Explorer

How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators.  I'm struggling

0 Karma

dave_null
Path Finder

Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand

https://www.splunk.com/en_us/blog/tips-and-tricks/integrating-active-directory-into-splunk-with-sa-l...

Once that is complete, you can search for users with a "accountExpires" time:

| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...