Security

Assist with a specific report webmail login only

gkuhns
New Member

Hello,

I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users.

Code which produced only Active Sync.

index="iis_logs_exchxxx" sourcetype="iis" s_port="443" c_ip!="10.*" c_ip!="127.0.0.1" c_ip!="::1" cs_method!="HEAD" cs_username="*@domain.com"
| iplocation c_ip
| eval alert_time=_time
| convert ctime(alert_time) timeformat="%m/%d/%Y %H:%M:%S %Z"
| table alert_time,cs_username,cs_User_Agent,c_ip, City, Region, Country
| stats values(c_ip) by alert_time,cs_username,cs_User_Agent,City,Region,Country
| rename cs_username AS "Username", values(c_ip) AS "IP addresses", cs_User_Agent AS "Device Type", alert_time AS "Date/Time"

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...