I receive a weekly report on terminated users and I’m trying to create a search that will identify events/domain activity from the associated accounts, which will help catch any that haven’t been disabled or potentially malicious activity.
My thinking was to use the inputlookup function to ingest the terminated users and their last working day, then searching for successful login events (EventCode=4624) from our domain controllers after that date.
Here’s an example of my leavers_list.csv file:
And here’s what I tried:
| inputlookup leavers_list.csv | fields user lastday | eval lastday=strptime(lastday, "%-d/%-m/%Y") | search index=wineventlog user=* EventCode=4624 | where _time > lastday
I’ve used some test data in my input file which should have returned results, but I’m not getting anything back. I’m now convinced I’m going about this the wrong way. I know what I’m trying to do but failing pretty hard!
Any guidance is greatly appreciated!
Always start your search with the bigger set of data and apply the smaller set as a filer. So try something like this for getting people that have already left the company and are logging in to windows infrastructure :
index=wineventlog EventCode=4624 [| inputlookup leavers_list.csv|return 0 user]
Since the list already contains everyone that left, any recent match to the list could be a security alert since it's a recent authentication of a person that shouldn't be here. This is exactly what the search above does, using the list of leavers as a filter for your search.
You can then use another lookup afterwards to get the exact departure date and run some stats on the search.
index=wineventlog EventCode=4624 [| inputlookup leavers_list.csv|return 0 user] | lookup user leavers_list.csv | stats whateverisneeded
Let me know how that works out for you.
if you put your Major Search (i.e. search of wineventLog) later, it will be performance bottleneck. So try putting it at start itself and do a lookup of your leavers file.
Also, try putting the host=SomeDomainController* ,it will improve the search quite bit
Try like below
index=wineventlog host=<someADServers> EventCode=4624 [|inputlookup leavers_list.csv| dedup user| fields user] | stats latest(_time) as lastActivityTime by user | lookup leavers_list.csv user OUTPUT lastday | eval lastday=strptime(lastday, "%d/%m/%Y") | where lastActivityTime > lastday