Activity from Expired User Identity - on Category

Description

The GDPR requires that only authorized individuals access personal data. Alert when the account of a past employee is used to log into GDPR-tagged systems


Use Case

Compliance

Category

GDPR

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 4

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Authentication

   GDPR Relevance

Impact:

Detecting and proving that only individuals who are authorized to access, handle, and process personal data is an industry best practice and can be considered an effective security control, as required by Article 32. Demonstrating that any unauthorized attempts -- both failed and successful -- from past employees or employees whose authorization has expired -- as well as demonstration that any non-compliant conditions resulting in unauthorized use are properly scoped, investigated, and remediated properly, is required to prove compliance for data privacy audits from authorities (Article 58) or to counteract any compensation claims (Article 82). Additionally, data processors working on behalf of a controller within the organization need to ensure, per Article 28, that only authorized individuals have access to personal data.

   How to Implement

If you have followed the data onboarding guides in this app, this search will work immediately for you. You should generally specify the index where you are storing Windows Security logs (e.g., index=oswinsec), and if you use a mechanism other than the Splunk Universal Forwarder to onboard that data, you should verify the sourcetype and fields that are used. The rest is simple!

   Known False Positives

If you are still using an account after the user is disabled, you will see alerts (e.g., if you provide the manager with access to log in as the user).

   How To Respond

The first thing to understand after this alert fires is whether this was some continuation of normal system operations (e.g., the desktop under their desk was still logged in, or iPhone account still active) versus a deliberate action. Obviously success or failure also carries weight. Finally, particularly for sysadmin type employees in less structured organizations, it's important to make sure that there are no services or scheduled jobs running under that account where disabling the account outright might impact operations.

   Help

Activity from Expired User Identity - on Category Help

This example leverages the Simple Search assistant. Our example dataset is a collection of anonymized Windows Authentication logs, during which someone attempts a brute force against a series of usernames. Our live search looks for Windows Authentication activity across any index in the standard sourcetype.

SPL for Activity from Expired User Identity - on Category

Demo Data

First we bring in our basic demo dataset. In this case, showing Interactive Logins. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we check a lookup that shows the user status (this would typically be pulled from SA-ldapsearch or ADMon).
Now we can filter for users where the expiration is at least a day ago (timezones are hard), or that are disabled.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.

Live Data

First we bring in our basic dataset. In this case, showing successful logins.
Next we check a lookup that shows the user status (this would typically be pulled from SA-ldapsearch or ADMon).
Now we can filter for users where the expiration is at least a day ago (timezones are hard), or that are disabled.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.

Screenshot of Demo Data