Re: search for temporary users in privileged group...

brandylee1993 · ‎03-04-2021

How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators. I'm struggling

dave_null · ‎03-05-2021

Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand

https://www.splunk.com/en_us/blog/tips-and-tricks/integrating-active-directory-into-splunk-with-sa-l...

Once that is complete, you can search for users with a "accountExpires" time:

| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires

search for temporary users in privileged groups

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms