https://community.splunk.com/t5/Splunk-Search/How-to-query-for-MFA-and-SSO-on-network/m-p/691026#M235344 <P><SPAN>1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type. </SPAN></P><P><SPAN>Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well</SPAN></P><LI-CODE lang="markup">index=linux OR index=Windows OR index=my_SSO_data tag=authentication</LI-CODE><P><SPAN>You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags)<BR /><BR /></SPAN>2. If you have not ingested data then you need to ensure the below.</P><P><SPAN>Example </SPAN></P><P><SPAN>Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for.&nbsp;</SPAN></P><P><SPAN>Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Side note:</SPAN></P><P><SPAN>Using Splunk you can check with TA’s have tags for authentication</SPAN></P><LI-CODE lang="markup">| rest splunk_server=local services/configs/conf-tags | rename eai:acl.app AS app, title AS tag | table app tag authentication</LI-CODE><P><SPAN><BR /><BR /></SPAN><SPAN>This will show you the eventtypes which are associated with tags</SPAN></P><LI-CODE lang="markup">| rest splunk_server=local services/configs/conf-eventtypes | rename eai:acl.app AS app, title AS eventtype | table app search eventtype</LI-CODE><P>&nbsp;</P> Tue, 18 Jun 2024 16:20:27 GMT deepakc 2024-06-18T16:20:27Z https://community.splunk.com/t5/Splunk-Search/How-to-query-for-MFA-and-SSO-on-network/m-p/690995#M235330 <P><EM>Thank you everyone for taking the time to ready this. I am new in Splunk and interested in learning more. I have a project at home, and this has to do with viewing authentication traffic on a given network</EM></P><P><U><STRONG>The challenge I face:</STRONG></U></P><P><EM>I need to view what authentication method is being used to access what resource on the network for a giving index and sourcetype. For example, Windows systems do not have an attribute solo representing if the access to the Nod was SSO or MFA all I get is an event ID 4624.&nbsp;<A href="https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html#:~:text=Event%20ID%204624%20(viewed%20in,4625%20documents%20failed%20logon%20attempts." target="_blank">Windows Event ID 4624, successful logon — Dummies guide, 3 minute read (manageengine.com)</A>&nbsp;My understanding is that I have to gather a few attributes and make an educated guess about what access was used. I was hoping to find a one liner lol that will show me what resource is using what authentication method. Any help would be appreciated and virtual drinks on me if we strike gold <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> Tue, 18 Jun 2024 14:02:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-for-MFA-and-SSO-on-network/m-p/690995#M235330 sgtwolf1 2024-06-18T14:02:04Z https://community.splunk.com/t5/Splunk-Search/How-to-query-for-MFA-and-SSO-on-network/m-p/691026#M235344 <P><SPAN>1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type. </SPAN></P><P><SPAN>Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well</SPAN></P><LI-CODE lang="markup">index=linux OR index=Windows OR index=my_SSO_data tag=authentication</LI-CODE><P><SPAN>You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags)<BR /><BR /></SPAN>2. If you have not ingested data then you need to ensure the below.</P><P><SPAN>Example </SPAN></P><P><SPAN>Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for.&nbsp;</SPAN></P><P><SPAN>Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Side note:</SPAN></P><P><SPAN>Using Splunk you can check with TA’s have tags for authentication</SPAN></P><LI-CODE lang="markup">| rest splunk_server=local services/configs/conf-tags | rename eai:acl.app AS app, title AS tag | table app tag authentication</LI-CODE><P><SPAN><BR /><BR /></SPAN><SPAN>This will show you the eventtypes which are associated with tags</SPAN></P><LI-CODE lang="markup">| rest splunk_server=local services/configs/conf-eventtypes | rename eai:acl.app AS app, title AS eventtype | table app search eventtype</LI-CODE><P>&nbsp;</P> Tue, 18 Jun 2024 16:20:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-for-MFA-and-SSO-on-network/m-p/691026#M235344 deepakc 2024-06-18T16:20:27Z