Controlling access to cloud infrastructure includes reviewing who has access and how frequently or infrequently they access the system. This search also shows accounts created for employees who are no longer with the company or are no longer in the organization where cloud access is needed.
- Configure the Microsoft Azure Add-on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:signin" OR sourcetype="azure:aad:user" earliest=-30d@h latest=now | eval user_id=coalesce(userId,id), display_name=coalesce(displayName,userDisplayName) | dedup user_id sourcetype sortby - _time | eventstats dc(sourcetype) as useractivity by user_id | where useractivity<2 | table display_name user_id userPrincipalName
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|sourcetype="azure:aad:signin" OR sourcetype="azure:aad:user" earliest=-30d@h latest=now||Search Azure Active Directory sign-in or user data and filter the results to the last 30 days.|
|| eval user_id=coalesce(userId,id), display_name=coalesce(displayName,userDisplayName)||Create user_id and display_name fields to coalesce multiple fields and their values.|
|| dedup user_id sourcetype sortby - _time||Deduplicate events and sort by most recent events.|
|| eventstats dc(sourcetype) as useractivity by user_id||Count the number of sourcetypes present by user.|
|| where useractivity<2||Look for accounts that do not have sign-in activity.|
|| table display_name user_id userPrincipalName||Show display name, user ID, and the user principal name of the accounts that haven't logged in within the last 30 days.|
To prevent accidental misconfigurations, you should revoke access for users returned via this search who access cloud infrastructure on an infrequent basis.
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.