Security

authentication method in a query on splunk

rsaude
Path Finder

Hey everyone,

Is there a way to check for which kind of authentication method is being used by splunk in a log? (Splunk itself, SAML or LDAP)

Thanks in advanced

0 Karma
1 Solution

rsaude
Path Finder

With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,

Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type

View solution in original post

0 Karma

rsaude
Path Finder

With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,

Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type

0 Karma

rsaude
Path Finder

It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As far as I know that in splunk logs those information are not available.

0 Karma

rsaude
Path Finder

i feard that, in any case if anyone knows a work around feel free to share please

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Try below search (It is ugly because of join) but I think it will give you a result.

index=_audit host=<your host> action="login attempt"
| fields user, action, info, src 
| join type=left user
    [| rest /services/authentication/users splunk_server=local f=title f=type 
    | rename title as user 
    | fields user, type ]
| table user, type, action, info, src
0 Karma

rsaude
Path Finder

it did not work for me, there were users that appeared with no type (Probably because they no longer exist)

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Yes, query which I have provided will give you type if that user exist in splunk, it it does not exist then it will give you blank.

0 Karma

rsaude
Path Finder

I managed to get it working for me, but thank you for your help anyway

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Welcome... 🙂

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...