+2Hii
I have a requirement to check for the users that haven't logged in using a VPN.
The SIEM has logs for the users that have logged in using a VPN, but is there a way to use these logs and check for the users that havent used the VPN to login during the past 30 days?
The requirement is to just get a list of these users?
+8If you’re looking at the VPN logs in SecOps, it’s only going to give you a list of users that logged in, as you will only have events when a user logs in. If you wanted a list of users that haven’t logged in, you could query for the users that have logged in the last 30 days, export the list, and compare it to the full list of users.
SecOps does have the ability to save data into a data table or onto the entity graph, so you could have a data table or entity graph with a list of all users, but you wouldn’t be able to do a full outer join to get the non matching values as that capability is not available.
Unless I’m missing something, I think the best option here is to get a list of users that have logged into the VPN in the last 30 days, export it, and compare it to a full list of users outside of SecOps or….
You could export the events and full list of users to a datalake like BigQuery, and do a full outer join there.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
