I am working on a use case which looks for Users who haven't logged into Active Directory in the last 90 days. I have stitched together a few searches I've came across but have had no luck with it.
index=wineventlog EventCode=528 OR EventCode=4624
| eval Account_Name=mvindex(Account_Name,1)
| eval UserAccount=coalesce(Account_Name,User_Name)
| search NOT UserAccount="*$" NOT UserAccount=anonymous NOT UserAccount=system
| dedup UserAccount
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| eval lastMo = relative_time(now(),"-90d@d")
| where testDate < lastMo
| table testDate lastMo lastOccurence
I have tried using an LDAP lookup for this however, unfortunately due to the way AD has been set up in our virtualized environment, the time stamps of last logins are way off. Therefore, we have to use Windows event logs.
Thanks in advanced.
... View more