https://community.splunk.com/t5/Splunk-Search/Salesforce%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/579333#M201878 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241705">@satiku</a>&nbsp;</P><P>(I am answering based on the translation provided by&nbsp;<A href="https://translate.google.com/" target="_blank" rel="noopener">https://translate.google.com/</A>.)</P><P>In the following examples, replace index=sfdc with your Salesforce index. If you are using Splunk Add-on for Salesforce, authentication events have tag=authentication.</P><P>Search for users who logged in two weeks ago but have not logged in during the last week:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">index=sfdc tag=authentication user=* action=success earliest=-2w latest=-1w NOT [ search index=sfdc tag=authentication user=* action=success earliest=-1w latest=now | stats latest(_time) as _time by user | table user ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I do not know what a locked user looks like in Salesforce logs, but if we assume login failures lead to locked users, we can look for failures for multiple users from the same source:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">index=sfdc tag=authentication user=* action=failure | eventstats dc(user) as user_count by src | where user_count&gt;1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>These examples can be adapted to use the Authentication data model as well, but you would want to filter by the app field or another field specific to Salesforce.</P> Mon, 27 Dec 2021 16:40:38 GMT tscroggins 2021-12-27T16:40:38Z https://community.splunk.com/t5/Splunk-Search/Salesforce%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/579169#M201836 <P>Salesforceのログにて以下の要件でSPLを作成したいと考えております。</P><P>&nbsp;</P><P>①1週間以上 、 毎日複数回ログインを失敗しているユーザ&nbsp;<BR />②同一IP で複数のユーザ ID に対してログインロックされているユーザの検知</P><P>&nbsp;</P><P>どのようなSPLをかけばよいでしょうか。</P><P>&nbsp;</P> Thu, 23 Dec 2021 09:25:42 GMT https://community.splunk.com/t5/Splunk-Search/Salesforce%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/579169#M201836 satiku 2021-12-23T09:25:42Z https://community.splunk.com/t5/Splunk-Search/Salesforce%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/579333#M201878 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241705">@satiku</a>&nbsp;</P><P>(I am answering based on the translation provided by&nbsp;<A href="https://translate.google.com/" target="_blank" rel="noopener">https://translate.google.com/</A>.)</P><P>In the following examples, replace index=sfdc with your Salesforce index. If you are using Splunk Add-on for Salesforce, authentication events have tag=authentication.</P><P>Search for users who logged in two weeks ago but have not logged in during the last week:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">index=sfdc tag=authentication user=* action=success earliest=-2w latest=-1w NOT [ search index=sfdc tag=authentication user=* action=success earliest=-1w latest=now | stats latest(_time) as _time by user | table user ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I do not know what a locked user looks like in Salesforce logs, but if we assume login failures lead to locked users, we can look for failures for multiple users from the same source:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">index=sfdc tag=authentication user=* action=failure | eventstats dc(user) as user_count by src | where user_count&gt;1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>These examples can be adapted to use the Authentication data model as well, but you would want to filter by the app field or another field specific to Salesforce.</P> Mon, 27 Dec 2021 16:40:38 GMT https://community.splunk.com/t5/Splunk-Search/Salesforce%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/579333#M201878 tscroggins 2021-12-27T16:40:38Z