Splunk Enterprise Security

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?

abhi04
Path Finder

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?
Below is the query:
| inactive_account_usage("90","2") | ctime(lastTime) | fields + user,tag,inactiveDays,lastTime

Macro search used:
inactive_account_usage= inputlookup append=T access_tracker where [| makeresults | make_ts_value("-$lessThan$h",lastTime_user) | eval search="lastTime_user>=".lastTime_user | return $search] | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval get_second2lastTime_meval(second2lastTime,lastTime_vals,lastTime),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=$greaterThan$ | get_identity4events(user)

make_ts_value=eval "$fieldOut$"=case(match("$value$", "^\d"), tostring("$value$"), match("$value$", "^([@+-]){1}"), relative_time(time(), "$value$"), true(), time())

get_second2lastTime_meval="$second$"=mvdedup(mvappend('$second$',NULL,'$last_vals$')),mvfilter_field_meval($second$,$last$),"$second$"=max('$second$')

get_identity4events=lookup update=true identity_lookup_expanded key as $username$ OUTPUTNEW identity as $username$_identity,prefix as $username$_prefix,nick as $username$_nick,first as $username$_first,last as $username$_last,suffix as $username$_suffix,email as $username$_email,phone as $username$_phone,phone2 as $username$_phone2,managedBy as $username$_managedBy,priority as $username$_priority,bunit as $username$_bunit,category as $username$_category,watchlist as $username$_watchlist,startDate as $username$_startDate,endDate as $username$_endDate,identity_tag as $username$_identity_tag,work_city as $username$_work_city,work_country as $username$_work_country,work_lat as $username$_work_lat,work_long as $username$_work_long | lookup identity_lookup_default_fields key as $username$ OUTPUTNEW watchlist as $username$_watchlist | eval mvappend_field_meval(tag,$username$_identity_tag),iden_mktime_meval($username$_startDate),`iden_mktime_meval($username$_endDate)

ctime=ctime($field$,"%m/%d/%Y %H:%M:%S")

I need to get the login time before it was inactive. Please help

0 Karma
1 Solution

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

xavierashe
Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

0 Karma

abhi04
Path Finder

Hi @xavierashe, I got this from the second2lastTime field.But where can I see the _raw logs for the logins made.

I checked the data model Authentication where I could see the latest login.Also when I checked for the login just before inactive I was not able to see it although the data model logs retention is for 1 year. Please suggest.

0 Karma

xavierashe
Contributor

Run tag=authentication user=username action=success | head 1 over all time. If that doesn't come back with anything then you might not have the raw data retained.

0 Karma

abhi04
Path Finder

Thanks @xavierashe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...