Security

Assist with a specific report webmail login only

gkuhns
New Member

Hello,

I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users.

Code which produced only Active Sync.

index="iis_logs_exchxxx" sourcetype="iis" s_port="443" c_ip!="10.*" c_ip!="127.0.0.1" c_ip!="::1" cs_method!="HEAD" cs_username="*@domain.com"
| iplocation c_ip
| eval alert_time=_time
| convert ctime(alert_time) timeformat="%m/%d/%Y %H:%M:%S %Z"
| table alert_time,cs_username,cs_User_Agent,c_ip, City, Region, Country
| stats values(c_ip) by alert_time,cs_username,cs_User_Agent,City,Region,Country
| rename cs_username AS "Username", values(c_ip) AS "IP addresses", cs_User_Agent AS "Device Type", alert_time AS "Date/Time"

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...