Splunk Enterprise Security

How to find LDAP accounts that have been disabled for longer then 30 days

New Member

Hi everyone.
I'm new to Splunk and trying to work on a search that would return accounts in LDAP that have already been disabled for 30 days or longer. I have found that the event code for disabled accounts is 4725, and I can see accounts that have been set to disable within the last 30/60/90... days, but not sure how to see ones that have been sitting in disabled status for 30 days or longer

Any assistance is MUCH appreciated!

0 Karma

Contributor

so you can use the timestamp from the event data and then calculate in seconds the diff between now and the date of the event
timestamp. this can be used to generate a new field which will give you the offset in time in days:

your splunk search
| eval now = now()
| eval secDiff = (now - _time)
| eval ageOfLastEventInDays = round(secDiff/86400,2)
| search ageOfLastEventInDays >= 30

0 Karma

New Member

So would the search look like this:

index="wineventlog" EventCode=4725
| eval now = now()
| eval secDiff = (now - _time)
| eval ageOfLastEventInDays = round(secDiff/86400,2)
| search ageOfLastEventInDays >= 30

0 Karma

Communicator

Their is a way to determine if any users has not been logged to splunk from last 30 days but if you are looking for ldap disabled accounts , if its indexed then you can get it.

0 Karma