topic Re: Triggering third-party authentication Verification in Splunk Search

Triggering third-party authentication Verification

chimuru84 — Tue, 06 Aug 2024 16:13:01 GMT

Hello! I'm trying to implement a mechanism to flag users who have not had a third-party authentication verification in the last 365 days.

I tried this search, but is not give desired result.

I'm grateful for any ideas. Thanks.

Re: Triggering third-party authentication Verification

gcusello — Tue, 06 Aug 2024 15:01:15 GMT

Hi @chimuru84 ,

you should have a list of your users to be inserted in a lookup (called e.g. users.csv) with one column "id".

then you could run something like the following:

Ciao.

Giuseppe

Re: Triggering third-party authentication Verification

chimuru84 — Wed, 07 Aug 2024 04:03:53 GMT

It didn't help... I mean that a user has not made a check for 365 (or more) days until now.

Re: Triggering third-party authentication Verification

gcusello — Wed, 07 Aug 2024 07:03:48 GMT

Hi @chimuru84 ,

with this search you take all the checks event in your logs and you compare them with the users list so you can define is there's some user that didn't do any check on the third party.

The main job is to extract the check events from your logs, and I cannot help you on this because I don't know your logs, then you can use my search to compare the results with the users list.

Ciao.

Giuseppe

Re: Triggering third-party authentication Verification

chimuru84 — Sat, 10 Aug 2024 08:40:38 GMT

Hi @gcusello! I think I didn't ask the question correctly. I want to make a query that returns the users who had a third-party authentication (at the moment), and the last time they passed the authentication was 365 days ago.

Re: Triggering third-party authentication Verification

gcusello — Sat, 10 Aug 2024 10:56:18 GMT

Hi @chimuru84 ,

sorry, I ,isunderstood yur requirement!

let me understand: you want to know the users connected to a third party authentication in the last hour that didn't do another connection in the last year but they did before, is it correct?

at first: how long do you want to run your check: two years?

Then, when you say "authentication at the moment", are you meaning in the last hour or what else?

With the above hypotesis

So, please try this:

In ths way, you have yje users connected in the last hour that did the last connection (except the last hour) more than one year.

If you need a different condition, you can use my approach.

Ciao.

Giuseppe

Re: Triggering third-party authentication Verification

chimuru84 — Mon, 12 Aug 2024 14:21:35 GMT

Hello again @gcusello ! Sorry again. I want to return id, nr_of_days (difference between last_date and_first_date), login of last_date (could be today, yesterday, 1 month ago etc.) and login of first_date (where first_date is 365 days or more).

Re: Triggering third-party authentication Verification

gcusello — Mon, 12 Aug 2024 15:27:48 GMT

Hi @chimuru84 ,

in this case you have to add some fields to the stats command, but the approach is always the same:

index=...... earliest=-2y latest=-h [ search index=...... earliest=-h latest=now | dedup id | fields id ] | eval period=if(_time>now()-31536000, "last Year","Previous Year") | stats dc(Period) AS Period_count values(Period) AS Period earliest(_time) AS first_date latest(_time) AS last_date BY id | where Period_count=1 AND Period!="Previous Year" | eval nr_of_days=last_date-first_date, first_date=strftime(first_date,"%Y-%m-%d %H:%M:%S"), last_date=strftime(last_date,"%Y-%m-%d %H:%M:%S") | table id nr_of_days first_date last_date

Ciao.

Giuseppe