Detecting inactive users in Active Directory

Hey All, I need to detect inactive users in Active Directory using Elastic SIEM. Any ideas how can I do that using EQL?

I implemented the detection login in Splunk by using lookup files where I write to a lookup file all domain users who generate 4624 events, then doing my another search based on that users list.

Any help highly appreciated!

1 Like

Hey Elnur, I'm having trouble understanding how you implemented this in Splunk. Could you describe it in more detail?

I have a lookup file users.csv (user, host, last_login_time). I populate this lookup file by searching login events and output the results to this lookup file. My purpose for creating a lookup file is to get a list of all domain users, the hosts they last logged in, and their last login time.
And I do another search on users.csv where last_login_time < (now() - (86400 * 90)) to get inactive users.
I couldn't implement this logic in Elastic SIEM because I don't know how to get all login events and write it to a file (like users.csv) and do another search using this file to get inactive ones.

I think a latest transform could perhaps be a good solution.

I Did this for host not users But same concept. We wanted to see what hosts had not sent logs lately.

Basically if you do a latest transform using a user ID as the unique identifier and the timestamp as the latest time then you will see the user that has not logged in in the last day or two days or a week etc.

Most your users will have logged in recently, but you'll see the tail of the users that have not.

It's actually could be pretty awesome solution.

It does depend on that they log in at least once. We did hosts over the last 90 days

1 Like

This is clearer now. Stephen is correct. A transform will keep track of the latest time, then you can just use date math in the query, like last_login_time <= "now-90d/d"

1 Like

Transform will look something like this

And the results: