Security

Assist with a specific report webmail login only

gkuhns
New Member

Hello,

I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users.

Code which produced only Active Sync.

index="iis_logs_exchxxx" sourcetype="iis" s_port="443" c_ip!="10.*" c_ip!="127.0.0.1" c_ip!="::1" cs_method!="HEAD" cs_username="*@domain.com"
| iplocation c_ip
| eval alert_time=_time
| convert ctime(alert_time) timeformat="%m/%d/%Y %H:%M:%S %Z"
| table alert_time,cs_username,cs_User_Agent,c_ip, City, Region, Country
| stats values(c_ip) by alert_time,cs_username,cs_User_Agent,City,Region,Country
| rename cs_username AS "Username", values(c_ip) AS "IP addresses", cs_User_Agent AS "Device Type", alert_time AS "Date/Time"

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...