All Apps and Add-ons

How to pull age / time for LastAccessKeyUsed?

kppradhan
New Member

Hello,

I am currently working on a query / report that displays MFA information for users in my AWS organizations.

The table is as follows:

account_id | UserName | AccessKeyMetadata{}.AccessKeyId |Days Since Last Login | MFA Present |MFA Detail

I'm looking to pull the age of the AccessKeyID but am having trouble.

Any suggestions?

I am currently using the stats command to pull all current MFA related info:

| stats latest(days_since_login) as "Days Since Last Login", latest(mfa_present) as "MFA Present", latest(mfa_detail) as "MFA Detail" by account_id, UserName, AccessKeyMetadata{}.AccessKeyId

Ideally -- I would like to pull the age of AccessKeyID.

Any help would be greatly appreciated.

Thanks,

  • Kiran
Labels (1)
Tags (2)
0 Karma

drobMT
Explorer

Do you have access to the time created for the AccessKeyId as a field?

I've calculated the age of items before using eval; the following example actually calculates the age of an EBS volume in AWS; concept is similar if you have access to the time the accesskeyid was created.

| eval VolumeAgeSeconds = round(now()-strptime(create_time, "%Y-%m-%dT%H:%M:%S.%N%Z"),2), VolumeAge=tostring(VolumeAgeSeconds, "duration")

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...