Splunk Enterprise Security

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?

abhi04
Communicator

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?
Below is the query:
| inactive_account_usage("90","2") | ctime(lastTime) | fields + user,tag,inactiveDays,lastTime

Macro search used:
inactive_account_usage= inputlookup append=T access_tracker where [| makeresults | make_ts_value("-$lessThan$h",lastTime_user) | eval search="lastTime_user>=".lastTime_user | return $search] | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval get_second2lastTime_meval(second2lastTime,lastTime_vals,lastTime),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=$greaterThan$ | get_identity4events(user)

make_ts_value=eval "$fieldOut$"=case(match("$value$", "^\d"), tostring("$value$"), match("$value$", "^([@+-]){1}"), relative_time(time(), "$value$"), true(), time())

get_second2lastTime_meval="$second$"=mvdedup(mvappend('$second$',NULL,'$last_vals$')),mvfilter_field_meval($second$,$last$),"$second$"=max('$second$')

get_identity4events=lookup update=true identity_lookup_expanded key as $username$ OUTPUTNEW identity as $username$_identity,prefix as $username$_prefix,nick as $username$_nick,first as $username$_first,last as $username$_last,suffix as $username$_suffix,email as $username$_email,phone as $username$_phone,phone2 as $username$_phone2,managedBy as $username$_managedBy,priority as $username$_priority,bunit as $username$_bunit,category as $username$_category,watchlist as $username$_watchlist,startDate as $username$_startDate,endDate as $username$_endDate,identity_tag as $username$_identity_tag,work_city as $username$_work_city,work_country as $username$_work_country,work_lat as $username$_work_lat,work_long as $username$_work_long | lookup identity_lookup_default_fields key as $username$ OUTPUTNEW watchlist as $username$_watchlist | eval mvappend_field_meval(tag,$username$_identity_tag),iden_mktime_meval($username$_startDate),`iden_mktime_meval($username$_endDate)

ctime=ctime($field$,"%m/%d/%Y %H:%M:%S")

I need to get the login time before it was inactive. Please help

0 Karma
1 Solution

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

0 Karma

abhi04
Communicator

Hi @xavierashe, I got this from the second2lastTime field.But where can I see the _raw logs for the logins made.

I checked the data model Authentication where I could see the latest login.Also when I checked for the login just before inactive I was not able to see it although the data model logs retention is for 1 year. Please suggest.

0 Karma

xavierashe
Contributor

Run tag=authentication user=username action=success | head 1 over all time. If that doesn't come back with anything then you might not have the raw data retained.

0 Karma

abhi04
Communicator

Thanks @xavierashe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...