Skip to main content
 
Splunk Lantern

Activity from expired user identity

 

​​Unauthorized attempts —both failed and successful—to access organizational resources from past employees or employees whose authorization has expired is a threat to the security of your company data. You need a search that can help you easily find these attempts so that you can investigate as needed.

Required data

Authentication data. This sample search uses Microsoft: Windows security data. You can replace this source with any other authentication data data used in your organization. 

Procedure

  1. Identify all relevant IT assets from a data mapping exercise conducted by the Data Privacy Officer’s team. These are all IT assets that are relevant to the full audit trail of data processing activities. This includes not only data stores and repositories that house sensitive personal data (PD) and personally identifiable information (PII), but also any technologies that are involved in the processing, storage, transmission, receipt, rendering, encrypt/decrypt, relaying, and handling of such data in any capacity. 
  2. Ensure that those assets are configured properly to report logging activity to an appropriate central repository. 
  3. Use your data mapping results to build a lookup that associates systems to their system category. At a minimum, the lookup must contain “isActive”, “terminationDate”, and the “user” name. These attributes are added to the matching events. The data stored in the lookup file is typically pulled from SA-ldapsearch or ADMon from the Splunk Supporting Add-on for Active Directory by a scheduled search.
  4. Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="*WinEventLog:Security" user=* user!="" action=success 
|lookup user_account_status.csv user 
|where _time > relative_time(terminationDate, "+1d")
|lookup <name of lookup you created in step 3> host AS dest OUTPUT category 
|search category=*

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

source="*WinEventLog:Security"

Search Windows security authentication data. 

In this example, we specify the WinEventLog but your environment may only need the tag=authentication, or you may need to add other sources. 

user=* user!=""

Omit results where the user field value is not set.

action=success 

Return only successful authentication events.

|lookup user_account_status.csv user 

Look up the user status. The minimum columns in the lookup are “isActive”, “terminationDate” and the “user” name. These attributes are added to the matching events. 

This lookup data stored in the lookup file is typically pulled from SA-ldapsearch or ADMon from the Active Directory add-on by a scheduled search. 

|where _time > relative_time(terminationDate, "+1d")

Filter for users whose expiration is at least a day ago. Note that terminationDate value was supplied by the above lookup. 

|lookup <name of lookup you created in step 3> host AS dest OUTPUT category 

Look up the host in the GDPR categorization lookup that you must supply. When the host in the lookup matches dest in the event, output the category value from the lookup and add it to the event. 

|search category=*

Filter for events that have a value in the category field.

Next steps

You will generate false positives if you are still using an account after the user is disabled, for example, if you provide the manager with access to log in as the user.

The first thing to understand after this alert fires is whether this was some continuation of normal system operations (e.g., the desktop under their desk was still logged in or an iPhone account was still active) versus a deliberate action. Obviously success or failure also carries weight. Finally, particularly for sysadmin type employees in less structured organizations, it's important to make sure that there are no services or scheduled jobs running under that account where disabling the account outright might impact operations.

Additionally, you should monitor the mapped IT assets changes in logging status, adjust for known outages, and prioritize incident response for any failures to report by hosts that are not scheduled for downtime.

GDPR Relevance: Detecting and proving that only individuals who are authorized to access, handle, and process personal data is an industry best practice and can be considered an effective security control, as required by Article 32. Demonstrating that any unauthorized attempts—both failed and successful—from past employees or employees whose authorization has expired, as well as demonstrating that any non-compliant conditions resulting in unauthorized use are properly scoped, investigated, and remediated properly, is required to prove compliance for data privacy audits from authorities (Article 58) or to counteract any compensation claims (Article 82). Additionally, data processors working on behalf of a controller within the organization need to ensure, per Article 28, that only authorized individuals have access to personal data.

For guidance purposes, the below output is an example of what the result could look like. Append   “|table _time EventCode category dest isActive terminationDate user “to the end of the search to produce this result. 

_time EventCode category dest isActive terminationDate user

11/21/20

4624

EU Data

host_12

No

1479445200

user_32

Finally, you might be interested in other processes associated with the Complying with General Data Protection Regulation use case.