topic Re: How can I monitor user activity pattern search? in Splunk Search

How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:28:27 GMT

Hi,

I'm trying to figure out the query to identify when users are connecting to the VPN or not.

Re: Monitor user activity pattern search ...

yuanliu — Mon, 10 Jul 2023 18:05:11 GMT

It is not immediately clear which field will indicate connection to Okta and which that to Cisco/Anyconnect. So the following will just perform a match with _raw. The best would be to narrowly match designated fields. (One reason this is unclear is because the sample data you give is no longer valid JSON because of some inaccuracy during your anonymization. It would help if you can diagnose JSON, or at the minimum use a pretty print before doing anonymization so volunteers can make an educated guess. But in this problem, it shouldn't matter too much because you already know which fields are of interest.)

<your search> earliest=-30d | eval connect_state = if(match(_raw, "okta"), if(match(_raw, "cisco|anyconnect"), "VPN", "On-prem"), "none") | timechart span=1d@d values(connect_state) as connect_state

Is this something you are looking for?

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:29:30 GMT

Re: Monitor user activity pattern search ...

yuanliu — Tue, 11 Jul 2023 02:23:31 GMT

To confirm, the Okta info can be discerned from displayMessage when eventType=user.*, and Cisco Anyconnect info can be from targetAppAlternateId when sourcetype=Okta*. Correct? I want to push the solution further by assuming that

"User single sign on to app" is the complete value for displayMessage.
targetAppAlternateId begins with "Cisco" or "Anyconnect".

These assumptions are used to make the base search narrower. You can adjust these or abandon them.

More importantly for efficiency, usually you want to avoid join. So I'm combining the two searches into the base search. Following that, it's just an exercise of stats.

index=xyz ((eventType=user.* displayMessage = "User single sign on to app") OR (sourcetype=Okta* (targetAppAlternateId = "cisco *" OR targetAppAlternateId = "anyconnect*")) earliest=-30d | eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect | Cisco"), "VPN") | bin span=1d@d _time | stats values(logon) as logon by _time userid | eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), if(isnull(logon), "none", "!!Anomaly - no Okta, but on VPN"))

Given that Cisco Anyconnect only occurs in sourcetype Okta*, the anomaly I'm trying to flag is probably impossible. So, you can get rid of that, too.

Re: Monitor user activity pattern search ...

AL3Z — Mon, 24 Jul 2023 06:30:12 GMT

Re: Monitor user activity pattern search ...

yuanliu — Wed, 12 Jul 2023 06:54:24 GMT

I'm confused. I didn't use anything like 1 == 1. I also did not try to define "none" in case, because it is more expressive to just use if based on your definition of VPN vs on-prem. In fact, if sourcetype is always okta*, the base search can be further simplified. But this begs the question: Can displayMessage and targetAppAlternateId appear in the same event? If a VPN logon event satisfies both match(targetAppAlternateId, "anyconnect|Cisco") and match(displayMessage, "User single sign on to app"), you would be correct that the anomaly is impossible so you don't have to capture it. The order of the first case function, meanwhile, needs to be adjusted. In fact, it would best be expressed as nested if.

index=xyz ((eventType=user.* displayMessage = "User single sign on to app") OR (sourcetype=Okta* (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*")) earliest=-30d | eval logon = case(match(targetAppAlternateId, "anyconnect|Cisco"), "VPN", match(displayMessage, "User single sign on to app"), "Okta") | bin span=1d@d _time | stats values(logon) as logon by _time userid | eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

Re: Monitor user activity pattern search ...

AL3Z — Wed, 12 Jul 2023 17:46:38 GMT

@yuanliu

How we can bound this to time as last day i was on okta and in the same day i logged in via VPN

so it should show okta and VPN

bounding this with time will be like

Only Okta On Prem

in same day if Okta + VPN = VPN so for same date it should show On Prem & VPN

How we can achieve this ?

Thanks..

Re: Monitor user activity pattern search ...

yuanliu — Wed, 12 Jul 2023 21:07:59 GMT

bounding this with time will be like
Only Okta On Prem
in same day if Okta + VPN = VPN so for same date it should show On Prem & VPN

This is the reason why I asked for clarification: Do displayMessage and targetAppAlternateId appear in the same event? One step further: If I use VPN, will one single event satisfy both match(targetAppAlternateId, "anyconnect|Cisco") and match(displayMessage, "User single sign on to app")? My previous reply stated that the search was based on these being true as I inferred from your previous message. If these are not true, my first search should have already covered the case (save some additional assumption about actual matches). To really hone the solution, you will need to illustrate sample data (anonymize as needed), explain key features in the dataset that volunteers will need to pay attention to, and illustrate the desired results.

Here, I will relist the past two "solutions" based on data assumptions with some small refinements.

1. Solution 2, if a VPN logon will show in single event satisfying match(targetAppAlternateId, "anyconnect|Cisco") and match(displayMessage, "User single sign on to app"); an on-prem logon showing only events satisfying match(displayMessage, "User single sign on to app") and NOT match(targetAppAlternateId, "anyconnect|Cisco").

index=xyz sourcetype=Okta* ((eventType=user.* displayMessage = "User single sign on to app") OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*") earliest=-30d | eval logon = case(match(targetAppAlternateId, "anyconnect|Cisco"), "VPN", match(displayMessage, "User single sign on to app"), "Okta") | bin span=1d@d _time | stats values(logon) as logon by _time userid | eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

This should work because match(targetAppAlternateId, "anyconnect|Cisco") would have implied match(displayMessage, "User single sign on to app") when data characteristics is as described.

2. If Akta logon and VPN logon are totally independent events, i.e., match(targetAppAlternateId, "anyconnect|Cisco") does not imply match(displayMessage, "User single sign on to app"),

index=xyz sourcetype=Okta* ((eventType=user.* displayMessage = "User single sign on to app") OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*) earliest=-30d | eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect|Cisco"), "VPN") | bin span=1d@d _time | stats values(logon) as logon by _time userid | eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), if(isnull(logon), "none", "!!Anomaly - no Okta, but on VPN"))

If your data have other characteristics not covered above, you need to elaborate.

Re: Monitor user activity pattern search ...

AL3Z — Thu, 13 Jul 2023 08:28:43 GMT

@yuanliu
I apologize for not providing adequate clarification earlier.

Actually when user is on VPN you will see below events

Okta + cisco or Anyconnect

when user is on on-prem you will see only one event

Okta

When user logon from office he is on okta other than office he logon via vpn i.e okta+vpn
if there are multiple occurrences of logon on the same day then it should show on -prem & vpn .

*with out okta connecting to vpn is not possible *

Thanks

Re: Monitor user activity pattern search ...

yuanliu — Thu, 13 Jul 2023 10:01:29 GMT

Actually when user is on VPN you will see below events
Okta + GP or Anyconnect
when user is on on-prem you will see only one event
Okta

I interpret this as the 2nd scenario in my previous post. Have you tried this?

(I removed the anomaly handling but otherwise it's the same.) Please post output if differs from desired results (with illustration of desired results), also illustrate raw events. (If anonymized, make sure to validate JSON. The first posted sample is invalid.)

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:30:55 GMT

Re: How can I monitor user activity pattern search?

yuanliu — Thu, 13 Jul 2023 22:40:28 GMT

You still haven't illustrated what the output from my search is, and demonstrate desired result so I can see the difference; also, you haven't illustrated any valid JSON events to demonstrate what happened when your went on-prem, and what happened when you went home to connect via VPN. Without data, troubleshooting data analytics problems is nearly impossible. Without demonstration of your desired results, a lot of what we discuss is pure speculation.

Perhaps there's a discrepancy between your desired results and your original description, too. You originally said "search by user on a daily basis":

if they have accessed OKTA and ( "anyconnect" or Cisco) if they do, we populate VPN connected for that date. If they only have accessed OKTA and NOT ("anyconnect" or Cisco), then we populate ON Prem Connected for that date. If they have neither we populate none for the date.

(Highlights are mine.) This means that for any given date, you only populate one state. This is particularly important with scenario 2, when Okta and VPN logons are independent events. (In scenario 1, you automatically get multiple states if state changes within one day.) What is the criteria to tell which VPN logon is supposed to be grouped with which Okta logon? You have not even described in which order the two type of events would happen in real data if they are associated with one user action. (Also, is such order stable in Splunk? For example, if they occur within 1ms from each other, will Splunk always give the accurate order?)

Suppose Okta happens first, VPN happens second. Your last week's experience (I assume you were describing your change of location within one day) would produce the following events.

Okta logon,
Okta logon,
VPN logon

Unless there is a logoff event between 1 and 2 that Splunk is aware of, or if there exist other criteria that you can describe in terms of Splunk data, there is no way to know how the two Okta logon events relate to each other, are they from one user action or two, and so on.

Re: How can I monitor user activity pattern search?

AL3Z — Thu, 13 Jul 2023 19:21:37 GMT

My output is
_time user logon connectivity_type

7/13/23 xyz Okta VPN

VPN

How do you want me to send _raw event to Json ?

*how we can bound connectivity_type this with time ?

Re: How can I monitor user activity pattern search?

yuanliu — Thu, 13 Jul 2023 23:07:26 GMT

To get raw JSON even, first search for the events in which user xyz (you) logged on that day, both okta events and VPN events. For JSON events, you'll see a link "Show as raw text" in events window. Click it to get raw text. Load them into an editor and anonymize. (I thought you did this in the original description, except the anonymization did not preserve the original JSON format so the posted text is not valid JSON. Be careful with editing; use a JSON helper/validator if needed.)

Back to the output. I see that the search correctly captures both logon types. In that case, try another test on user xyz (you) on this day when you had both on-prem and VPN connections.

index=xyz sourcetype=Okta* userid="xyz" ((eventType=user.* displayMessage = "User single sign on to app") OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*) earliest=-30d | eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect|Cisco"), "VPN") | eval timestamp = strftime(_time, "%FT%H:%M:%S") | where isnotnull(logon) | bin span=1d@d _time | stats list(logon) as logon list(timestamp) as timestamp by _time userid | eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

What is the output?

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:33:23 GMT

...

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:33:55 GMT

Re: How can I monitor user activity pattern search?

yuanliu — Wed, 19 Jul 2023 05:41:37 GMT

Let's settle one subject at a time. (It would be much easier if you posted output in text.) So, on this given day, you had two pairs of logon events. From first (top) to last (bottom):

1	2023-06-21T10:12:09	VPN
2	2023-06-21T10:12:09	Okta
3	2023-06-21T17:18:03	VPN
4	2023-06-21T17:18:03	Okta

First of all, I observe that events in each pair happened within the same calendar second. Is this sufficient condition to deem 1-2 the same user action, and 3-4 the same?

Secondly, how does this indicate that one of them is from home, one of them on-prem? To me, these two pairs indicate the exact same kind of user action, namely at home.

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:38:33 GMT

Re: How can I monitor user activity pattern search?

AL3Z — Mon, 24 Jul 2023 06:36:44 GMT

...

Re: How can I monitor user activity pattern search?

yuanliu — Thu, 20 Jul 2023 03:45:51 GMT

I do not understand.

In this we get to see the Cisco auth ....

{
"actor": {
"id": "00u12x51ytWyIKps6357",
"type": "User",
"alternateId": "xyz.com",
...

This event doesn't contain the field targetAppAlternateId at all. How could this yield VPN? For the search to show VPN, it much satisfy match(targetAppAlternateId, "anyconnect|Cisco").