Splunk Enterprise Security

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?

abhi04
Communicator

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?
Below is the query:
| inactive_account_usage("90","2") | ctime(lastTime) | fields + user,tag,inactiveDays,lastTime

Macro search used:
inactive_account_usage= inputlookup append=T access_tracker where [| makeresults | make_ts_value("-$lessThan$h",lastTime_user) | eval search="lastTime_user>=".lastTime_user | return $search] | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval get_second2lastTime_meval(second2lastTime,lastTime_vals,lastTime),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=$greaterThan$ | get_identity4events(user)

make_ts_value=eval "$fieldOut$"=case(match("$value$", "^\d"), tostring("$value$"), match("$value$", "^([@+-]){1}"), relative_time(time(), "$value$"), true(), time())

get_second2lastTime_meval="$second$"=mvdedup(mvappend('$second$',NULL,'$last_vals$')),mvfilter_field_meval($second$,$last$),"$second$"=max('$second$')

get_identity4events=lookup update=true identity_lookup_expanded key as $username$ OUTPUTNEW identity as $username$_identity,prefix as $username$_prefix,nick as $username$_nick,first as $username$_first,last as $username$_last,suffix as $username$_suffix,email as $username$_email,phone as $username$_phone,phone2 as $username$_phone2,managedBy as $username$_managedBy,priority as $username$_priority,bunit as $username$_bunit,category as $username$_category,watchlist as $username$_watchlist,startDate as $username$_startDate,endDate as $username$_endDate,identity_tag as $username$_identity_tag,work_city as $username$_work_city,work_country as $username$_work_country,work_lat as $username$_work_lat,work_long as $username$_work_long | lookup identity_lookup_default_fields key as $username$ OUTPUTNEW watchlist as $username$_watchlist | eval mvappend_field_meval(tag,$username$_identity_tag),iden_mktime_meval($username$_startDate),`iden_mktime_meval($username$_endDate)

ctime=ctime($field$,"%m/%d/%Y %H:%M:%S")

I need to get the login time before it was inactive. Please help

0 Karma
1 Solution

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

0 Karma

abhi04
Communicator

Hi @xavierashe, I got this from the second2lastTime field.But where can I see the _raw logs for the logins made.

I checked the data model Authentication where I could see the latest login.Also when I checked for the login just before inactive I was not able to see it although the data model logs retention is for 1 year. Please suggest.

0 Karma

xavierashe
Contributor

Run tag=authentication user=username action=success | head 1 over all time. If that doesn't come back with anything then you might not have the raw data retained.

0 Karma

abhi04
Communicator

Thanks @xavierashe

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...