All Apps and Add-ons

How to pull age / time for LastAccessKeyUsed?

kppradhan
New Member

Hello,

I am currently working on a query / report that displays MFA information for users in my AWS organizations.

The table is as follows:

account_id | UserName | AccessKeyMetadata{}.AccessKeyId |Days Since Last Login | MFA Present |MFA Detail

I'm looking to pull the age of the AccessKeyID but am having trouble.

Any suggestions?

I am currently using the stats command to pull all current MFA related info:

| stats latest(days_since_login) as "Days Since Last Login", latest(mfa_present) as "MFA Present", latest(mfa_detail) as "MFA Detail" by account_id, UserName, AccessKeyMetadata{}.AccessKeyId

Ideally -- I would like to pull the age of AccessKeyID.

Any help would be greatly appreciated.

Thanks,

  • Kiran
Labels (1)
Tags (2)
0 Karma

drobMT
Explorer

Do you have access to the time created for the AccessKeyId as a field?

I've calculated the age of items before using eval; the following example actually calculates the age of an EBS volume in AWS; concept is similar if you have access to the time the accesskeyid was created.

| eval VolumeAgeSeconds = round(now()-strptime(create_time, "%Y-%m-%dT%H:%M:%S.%N%Z"),2), VolumeAge=tostring(VolumeAgeSeconds, "duration")

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...