Splunk Enterprise Security

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?

abhi04
Communicator

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?
Below is the query:
| inactive_account_usage("90","2") | ctime(lastTime) | fields + user,tag,inactiveDays,lastTime

Macro search used:
inactive_account_usage= inputlookup append=T access_tracker where [| makeresults | make_ts_value("-$lessThan$h",lastTime_user) | eval search="lastTime_user>=".lastTime_user | return $search] | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval get_second2lastTime_meval(second2lastTime,lastTime_vals,lastTime),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=$greaterThan$ | get_identity4events(user)

make_ts_value=eval "$fieldOut$"=case(match("$value$", "^\d"), tostring("$value$"), match("$value$", "^([@+-]){1}"), relative_time(time(), "$value$"), true(), time())

get_second2lastTime_meval="$second$"=mvdedup(mvappend('$second$',NULL,'$last_vals$')),mvfilter_field_meval($second$,$last$),"$second$"=max('$second$')

get_identity4events=lookup update=true identity_lookup_expanded key as $username$ OUTPUTNEW identity as $username$_identity,prefix as $username$_prefix,nick as $username$_nick,first as $username$_first,last as $username$_last,suffix as $username$_suffix,email as $username$_email,phone as $username$_phone,phone2 as $username$_phone2,managedBy as $username$_managedBy,priority as $username$_priority,bunit as $username$_bunit,category as $username$_category,watchlist as $username$_watchlist,startDate as $username$_startDate,endDate as $username$_endDate,identity_tag as $username$_identity_tag,work_city as $username$_work_city,work_country as $username$_work_country,work_lat as $username$_work_lat,work_long as $username$_work_long | lookup identity_lookup_default_fields key as $username$ OUTPUTNEW watchlist as $username$_watchlist | eval mvappend_field_meval(tag,$username$_identity_tag),iden_mktime_meval($username$_startDate),`iden_mktime_meval($username$_endDate)

ctime=ctime($field$,"%m/%d/%Y %H:%M:%S")

I need to get the login time before it was inactive. Please help

0 Karma
1 Solution

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

0 Karma

abhi04
Communicator

Hi @xavierashe, I got this from the second2lastTime field.But where can I see the _raw logs for the logins made.

I checked the data model Authentication where I could see the latest login.Also when I checked for the login just before inactive I was not able to see it although the data model logs retention is for 1 year. Please suggest.

0 Karma

xavierashe
Contributor

Run tag=authentication user=username action=success | head 1 over all time. If that doesn't come back with anything then you might not have the raw data retained.

0 Karma

abhi04
Communicator

Thanks @xavierashe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...