Activity from Expired User Identity - on Category
Description
The GDPR requires that only authorized individuals access personal data. Alert when the account of a past employee is used to log into GDPR-tagged systems
GDPR Relevance |
|---|
Impact:Detecting and proving that only individuals who are authorized to access, handle, and process personal data is an industry best practice and can be considered an effective security control, as required by Article 32. Demonstrating that any unauthorized attempts -- both failed and successful -- from past employees or employees whose authorization has expired -- as well as demonstration that any non-compliant conditions resulting in unauthorized use are properly scoped, investigated, and remediated properly, is required to prove compliance for data privacy audits from authorities (Article 58) or to counteract any compensation claims (Article 82). Additionally, data processors working on behalf of a controller within the organization need to ensure, per Article 28, that only authorized individuals have access to personal data. |
How to Implement |
|---|
If you have followed the data onboarding guides in this app, this search will work immediately for you. You should generally specify the index where you are storing Windows Security logs (e.g., index=oswinsec), and if you use a mechanism other than the Splunk Universal Forwarder to onboard that data, you should verify the sourcetype and fields that are used. The rest is simple! |
Known False Positives |
|---|
If you are still using an account after the user is disabled, you will see alerts (e.g., if you provide the manager with access to log in as the user). |
How To Respond |
|---|
The first thing to understand after this alert fires is whether this was some continuation of normal system operations (e.g., the desktop under their desk was still logged in, or iPhone account still active) versus a deliberate action. Obviously success or failure also carries weight. Finally, particularly for sysadmin type employees in less structured organizations, it's important to make sure that there are no services or scheduled jobs running under that account where disabling the account outright might impact operations. |
Help |
|---|
Activity from Expired User Identity - on Category HelpThis example leverages the Simple Search assistant. Our example dataset is a collection of anonymized Windows Authentication logs, during which someone attempts a brute force against a series of usernames. Our live search looks for Windows Authentication activity across any index in the standard sourcetype. |
SPL for Activity from Expired User Identity - on Category
Demo Data
| First we bring in our basic demo dataset. In this case, showing Interactive Logins. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data. |
| Next we check a lookup that shows the user status (this would typically be pulled from SA-ldapsearch or ADMon). |
| Now we can filter for users where the expiration is at least a day ago (timezones are hard), or that are disabled. |
| Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR. |
Live Data
| First we bring in our basic dataset. In this case, showing successful logins. |
| Next we check a lookup that shows the user status (this would typically be pulled from SA-ldapsearch or ADMon). |
| Now we can filter for users where the expiration is at least a day ago (timezones are hard), or that are disabled. |
| Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR. |
Screenshot of Demo Data
