All Apps and Add-ons

Best Way to Count Multiple Users logging into 1 Computer/Address with Cisco ISE Logs

New Member

Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is:

index=cisco_ise sourcetype="cisco:ise:syslog" (Framed_IP_Address=* AND Framed_IP_Address!="\\") (UserName="*.*" AND UserName!="sim*" AND UserName!="host//*" AND UserName!="\\")
| bin _time span=24h
| stats values(UserName) as User_Name, dc(UserName) as User_Name_Count by Framed_IP_Address, _time
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M:%S")
| sort -Framed_IP_Address
| where User_Name_Count  > 1

And believe it or not, this actually gave me 1 result. I could see 2 users logged into the same machine. However, I don't believe it's the best way to write this/achieve this result. And was hoping to get some advice on how to tighten the query up.

Thank you in advanced.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...