Can i use last seen for a user in a rule

Forum|Forum|1 year ago
January 25, 2024
2 replies
17 views

+10

rahul7514
Bronze 2

Hi

I would like to know if i can user the last seen metric of a user in a YARA rule , if yes while i am using i am not seeing the result

My YARA rule is this

rule Inactive_Account {

meta:

author = "Rahul"

description = "Discovers previously inactive accounts ."

severity = "Medium"

events:

$login.metadata.event_type = "USER_LOGIN"

$login.metadata.vendor_name ="Microsoft"

$login.metadata.product_event_type = "4624"

$login.target.user.userid != /.*\\$/ nocase

$login.target.user.userid = $user

$entity.graph.metadata.entity_type = "USER"

$entity.graph.entity.user.userid = $user

$entity.graph.metric.last_seen.seconds = $secondlastseen

match:

$user over 24h

condition:

$login and $entity

}

D

+4

DanHansen
Bronze 1
Forum|Forum|1 year ago
April 3, 2024

Yes it can as John Stoner shows here in his New to Chronicle Blog. I'm not certain but maybe it's last_seen_time.seconds instead of last_seen.seconds? I am pretty certain it's just a small syntax error though or maybe a missing line?

Like

+5

AfvanJaffer
Bronze 5
Forum|Forum|9 months ago
March 18, 2025

the last_seen_time is not available for the USER entity type...

Based on the doc:

"The first_seen_time and last_seen_time fields are populated with entities that describe a domain, IP address, and file (hash). For entities that describe a user or asset, only the first_seen_time field is populated. These values are not calculated for entities that describe other types, such as a group or resource."

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded