Security

splunk users expire after x days of inactivity

scheckenbachb
Explorer

Hi,
is it possible to set an "expire after x days of inactivity" for Splunk's own built-in system users? The Manager GUI in V 5.0.1 dosen't offer this.

Regards, Bernhard

Tags (1)
0 Karma

Damien_Dallimor
Ultra Champion

You could do this using a scheduled script(cron / windows scheduled task) that communicates to SplunkD via the Splunk REST API.
The script could execute a search(via the REST API) to determine the last time each user logged in, and calculate which users have been inactive for x days.In the following example, 2592000 seconds is 30 days

index=_internal source=*web_service.log action=login status=success | eval last_login_time=_time |  eval current_time=now() | eval time_since_last_login_secs=current_time-last_login_time | where time_since_last_login_secs > 2592000 | table user

And then remove the users(via the REST API) that are returned in the search results.
We have several language SDKs that sit atop the REST API to make this development easier.

You could also do this using the Splunk CLI.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...