Splunk search for AD Logons for Users that Have Escalated Privileges
Copy
sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
This search utilizes the map command to list out the last time an AD user logged in that has previously escalated privileges. Practically what this provides is how recently a user with root access logged in.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment