When someone gets activated and deactivated this data is consolidated -- always.
My question is how can I separate this data based on timestamps?
If someone were to get deactivated then reactivated afterward,
how can I not include this in an input-look up?
I have a search that I am using but because I am running into false positives due to what I mentioned above, sometimes someone will get re-activated after deactivation and I need Splunk to differentiate after someone getting re-activated after deactivation is not an alert or an actionable offense.
What commands or other parts can I use?
Thank you.
Search:
index="AD" index="ADUser" eventType="SSO" OR eventType="start" | eval from="search" | append [| inputlookup users.csv | table users | eval from="lookup"] | stats values(from) as from by users | where mvcount(from)=2 AND from="lookup
When a someone gets activated and deactivated
How is the logs?