Splunk Search

How to search for login activity from terminated/disabled users


I receive a weekly report on terminated users and I’m trying to create a search that will identify events/domain activity from the associated accounts, which will help catch any that haven’t been disabled or potentially malicious activity.

My thinking was to use the inputlookup function to ingest the terminated users and their last working day, then searching for successful login events (EventCode=4624) from our domain controllers after that date.

Here’s an example of my leavers_list.csv file:

user lastday
john.snow 22/04/2019
arya.stark 20/03/2019

And here’s what I tried:

| inputlookup leavers_list.csv | fields user lastday 
| eval lastday=strptime(lastday, "%-d/%-m/%Y")
| search index=wineventlog user=* EventCode=4624 | where _time > lastday

I’ve used some test data in my input file which should have returned results, but I’m not getting anything back. I’m now convinced I’m going about this the wrong way. I know what I’m trying to do but failing pretty hard!

Any guidance is greatly appreciated!

0 Karma


Hi @ryanisibor,

Always start your search with the bigger set of data and apply the smaller set as a filer. So try something like this for getting people that have already left the company and are logging in to windows infrastructure :

index=wineventlog  EventCode=4624 [| inputlookup leavers_list.csv|return 0 user] 

Since the list already contains everyone that left, any recent match to the list could be a security alert since it's a recent authentication of a person that shouldn't be here. This is exactly what the search above does, using the list of leavers as a filter for your search.

You can then use another lookup afterwards to get the exact departure date and run some stats on the search.

  index=wineventlog  EventCode=4624 [| inputlookup leavers_list.csv|return 0 user] | lookup user leavers_list.csv | stats whateverisneeded

Let me know how that works out for you.


0 Karma

Super Champion

if you put your Major Search (i.e. search of wineventLog) later, it will be performance bottleneck. So try putting it at start itself and do a lookup of your leavers file.

Also, try putting the host=SomeDomainController* ,it will improve the search quite bit

Try like below

index=wineventlog host=<someADServers> EventCode=4624 [|inputlookup leavers_list.csv| dedup user| fields user]
| stats latest(_time) as lastActivityTime by user
| lookup leavers_list.csv user OUTPUT lastday
| eval lastday=strptime(lastday, "%d/%m/%Y")
| where lastActivityTime > lastday
0 Karma