cancel
Showing results for 
Search instead for 
Did you mean: 

Graph modeling for login events

hsteidel71
Node

Hi All,

I was looking to get some help in how to model a graph to track and analyse active directory events (logins to computers).

I have 2 main nodes (users and computers) both are loaded from data exported from active directory.

The next step would be to load the event data (timestamp, user, computer, success/error) and build a relationship between the user and the computer node. I was wondering if I should use a relationship with attributes or add an additional node for the event?

One thing to consider is that it the event data is a very large dataset to be loaded and queried.

Thanks,
Holger

4 REPLIES 4

Joel
Ninja
Ninja

What questions are you planning to answer with this graph? It could possibly guide how you model it.

hsteidel71
Node

We want to detect abnormal user behaviour, like failed login attempts or logins outside of the normal hours etc.
We have as well more log data like (netflow, application logs etc) which we want to integrate into this graph to complete the picture.

Try this:

MERGE (u:User {name: "user1", id: "u1"})
MERGE (ed:EventDate {date:"20-11-06"})
MERGE (et:EventTime {time: "20:07:28", normalhours: "yes"})
MERGE (c:Computer {id: "xyz"})
MERGE (e1:Logins {success: "yes", attempts: 1, error: "NA"})

MERGE (u)-[:CONNECT_DATE]->(ed)
MERGE (ed)-[:CONNECT_TIME]-(et)
MERGE (et)-[:COMPUTER]->(c)
MERGE (c)-[:SUCCESS_FAILURE]->(e1)
RETURN u, ed, et, c, e1;

Result:

Hi, that looks interesting I'll try it out and let you know.

Thanks for your help!