Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

the user has not logon AD for more than 90 days

nalia_v
Loves-to-Learn Everything
‎02-17-2021 09:51 AM

Hi.

The topic is probably already hackneyed, but I'll ask you anyway.

Classic case - the user has not logon for more than 90 days.

I want to make a request through - ldapsearch, With enrichment through blood pressure AD.

 

There is an example request https://docs.splunksecurityessentials.com/content-detail/old_passwords/

Took from the request only - there were no login for more than 90 days.

| ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,pwdLastSet,lastLogonTimestamp,whenCreated,badPwdCount,logonCount" | fields - _raw host _time
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6QZ" mktime(lastLogonTimestamp) | convert timeformat="%Y%m%d%H%M%S.0Z"
| where lastLogonTimestamp > relative_time(now(), "-90d")
| convert ctime(lastLogonTimestamp)

The request is processed and takes away attributes from AD, but the time of the last login-lastLogonTimestamp does not show the former not 90 days.

Where is the error in the request ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...
Top