The way the Expired Identities object works in the Asset & Identities data model really looks like this:
identities |search endDate=*
The identity returns a list of identities, but the endDate=* will just return individuals who have a value in the end date. The expected value for end date is a time and would generally be a time that has already passed.
Do all of your identities of end dates in them? If an identity endDate value is null, these identities don't get returned in the above search.
The way I would interpret the search is that the only people who should have end dates would be people who have left the organization and I put the end date in at their termination/departure. At that point, I can then search for folks who have an end date and this would allow me to trigger on expired accounts in that manner.
If all your identities have end dates, some in the past, some in the future, we might have to look at changing things a bit to accommodate the data already populated. You could make that change at the data model level and say something like |
identities |search endDate
Not all Identities has End dates.But we do have some identities having end dates(past&future). Right now it is considering all as expired accounts event the end date is in future.
Right, I suspected that based on your comments. Based on that, you may want to look at modifying the data model that treats expired identities as endDate=* and instead change this to be endDate
I had a similar issue where accounts set to "never" expire generated an expired account activity alert because as illustrated by jstoner above, the Expired Identities object matches all values.
Instead of changing the data model I set endDate to a null value where accountExpires=(never)
| eval endDate=if(accountExpires="(never)","",accountExpires)
rich7177 has a good example of an ldap search that exports nicely to ES here.