All Apps and Add-ons

Best Way to Count Multiple Users logging into 1 Computer/Address with Cisco ISE Logs

TitanAE
New Member

Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is:

index=cisco_ise sourcetype="cisco:ise:syslog" (Framed_IP_Address=* AND Framed_IP_Address!="\\") (UserName="*.*" AND UserName!="sim*" AND UserName!="host//*" AND UserName!="\\")
| bin _time span=24h
| stats values(UserName) as User_Name, dc(UserName) as User_Name_Count by Framed_IP_Address, _time
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M:%S")
| sort -Framed_IP_Address
| where User_Name_Count  > 1

And believe it or not, this actually gave me 1 result. I could see 2 users logged into the same machine. However, I don't believe it's the best way to write this/achieve this result. And was hoping to get some advice on how to tighten the query up.

Thank you in advanced.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...