1 Reply Latest reply on Oct 23, 2013 1:22 PM by rth67

    Service Account Auth report

    infosec_wizard

      I am working on a project to identify which of our service accounts are performing interative or network logins in our network. I have all of our service accounts (around 500) in a watchlist, the sig ID for an account logon, and the logon_type field set in a report. The problem I'm running into is this report is generating way too much data at once. I need the data for the last 30 days, but it's producing too many events for excel to process. I really only need to know if any of the accounts has logged in once within the 30 days, not every time they do.

       

      Anyone know of a way to filter the data to get what I want? If not, I'll have to run 60 reports (2, 12 hour reports for each day in the 30 day period) to get the data I need.

        • 1. Re: Service Account Auth report
          rth67

          Try adding a Table to your Report, using the drop down select "Event Queries" and then select Signature IDs, add any Filters needed.

          This Event Query is going to provide the Rule Message, Signature ID, Source IP, and SUM (Event Count) - Then in your report builder group by Source User.

          You should get a Total Count of events per user.

           

          You can do the same thing with the Reporting Queries, but you have to select your own fields to include in the report, and use the "Group By" to have it provide a the SUM.

           

          You may need to tweak things if you have multiple domains, or people logging in locally, etc...