Splunk Enterprise Security
Highlighted

Splunk Expired account activity

Builder

Hi

What should be defined in Assets & identities data model for the expired accounts, right now in the data model its is defined as endDate=*, its considering all as expired accounts.

0 Karma
Highlighted

Re: Splunk Expired account activity

Splunk Employee
Splunk Employee

The way the Expired Identities object works in the Asset & Identities data model really looks like this:

|identities |search endDate=*

The identity returns a list of identities, but the endDate=* will just return individuals who have a value in the end date. The expected value for end date is a time and would generally be a time that has already passed.

Highlighted

Re: Splunk Expired account activity

Builder

What should be changed to make this work as expected? so the Correlation search "Account activity for expired accounts" will work.

0 Karma
Highlighted

Re: Splunk Expired account activity

Splunk Employee
Splunk Employee

Do all of your identities of end dates in them? If an identity endDate value is null, these identities don't get returned in the above search.

The way I would interpret the search is that the only people who should have end dates would be people who have left the organization and I put the end date in at their termination/departure. At that point, I can then search for folks who have an end date and this would allow me to trigger on expired accounts in that manner.

If all your identities have end dates, some in the past, some in the future, we might have to look at changing things a bit to accommodate the data already populated. You could make that change at the data model level and say something like |identities |search endDate

0 Karma
Highlighted

Re: Splunk Expired account activity

Builder

Not all Identities has End dates.But we do have some identities having end dates(past&future). Right now it is considering all as expired accounts event the end date is in future.

0 Karma
Highlighted

Re: Splunk Expired account activity

Splunk Employee
Splunk Employee

Right, I suspected that based on your comments. Based on that, you may want to look at modifying the data model that treats expired identities as endDate=* and instead change this to be endDate

0 Karma
Highlighted

Re: Splunk Expired account activity

Builder

Yes, I have to change the Data model. What should Place in there instead of endDate=*

0 Karma
Highlighted

Re: Splunk Expired account activity

Splunk Employee
Splunk Employee

sorry it cut it off in my response. Can you try endDate 'less than sign' time

0 Karma
Highlighted

Re: Splunk Expired account activity

Path Finder

I had a similar issue where accounts set to "never" expire generated an expired account activity alert because as illustrated by jstoner above, the Expired Identities object matches all values.

Instead of changing the data model I set endDate to a null value where accountExpires=(never)

| eval endDate=if(accountExpires="(never)","",accountExpires)

rich7177 has a good example of an ldap search that exports nicely to ES here.
https://answers.splunk.com/answers/400373/how-to-speed-up-ldap-active-directory-searches-spe.html