Graph modeling for login events

Neo4j Graph Platform Modeling
1

Hi All,

I was looking to get some help in how to model a graph to track and analyse active directory events (logins to computers).

I have 2 main nodes (users and computers) both are loaded from data exported from active directory.

The next step would be to load the event data (timestamp, user, computer, success/error) and build a relationship between the user and the computer node. I was wondering if I should use a relationship with attributes or add an additional node for the event?

One thing to consider is that it the event data is a very large dataset to be loaded and queried.

Thanks,
Holger

2

What questions are you planning to answer with this graph? It could possibly guide how you model it.

3

We want to detect abnormal user behaviour, like failed login attempts or logins outside of the normal hours etc.
We have as well more log data like (netflow, application logs etc) which we want to integrate into this graph to complete the picture.

4 
Try this:

MERGE (u:User {name: "user1", id: "u1"})
MERGE (ed:EventDate {date:"20-11-06"})
MERGE (et:EventTime {time: "20:07:28", normalhours: "yes"})
MERGE (c:Computer {id: "xyz"})
MERGE (e1:Logins {success: "yes", attempts: 1, error: "NA"})

MERGE (u)-[:CONNECT_DATE]->(ed)
MERGE (ed)-[:CONNECT_TIME]-(et)
MERGE (et)-[:COMPUTER]->(c)
MERGE (c)-[:SUCCESS_FAILURE]->(e1)
RETURN u, ed, et, c, e1;

Result:

Screen Shot 2020-11-22 at 10.41.13 AM
Screen Shot 2020-11-22 at 10.41.13 AM1050×556 52.9 KB

5

Hi, that looks interesting I'll try it out and let you know.

Thanks for your help!