Splunk Enterprise Security

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?

Path Finder

How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"?
Below is the query:
| inactive_account_usage("90","2") | ctime(lastTime) | fields + user,tag,inactiveDays,lastTime

Macro search used:
inactive_account_usage= inputlookup append=T access_tracker where [| makeresults | make_ts_value("-$lessThan$h",lastTime_user) | eval search="lastTime_user>=".lastTime_user | return $search] | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval get_second2lastTime_meval(second2lastTime,lastTime_vals,lastTime),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=$greaterThan$ | get_identity4events(user)

make_ts_value=eval "$fieldOut$"=case(match("$value$", "^\d"), tostring("$value$"), match("$value$", "^([@+-]){1}"), relative_time(time(), "$value$"), true(), time())

get_second2lastTime_meval="$second$"=mvdedup(mvappend('$second$',NULL,'$last_vals$')),mvfilter_field_meval($second$,$last$),"$second$"=max('$second$')

get_identity4events=lookup update=true identity_lookup_expanded key as $username$ OUTPUTNEW identity as $username$_identity,prefix as $username$_prefix,nick as $username$_nick,first as $username$_first,last as $username$_last,suffix as $username$_suffix,email as $username$_email,phone as $username$_phone,phone2 as $username$_phone2,managedBy as $username$_managedBy,priority as $username$_priority,bunit as $username$_bunit,category as $username$_category,watchlist as $username$_watchlist,startDate as $username$_startDate,endDate as $username$_endDate,identity_tag as $username$_identity_tag,work_city as $username$_work_city,work_country as $username$_work_country,work_lat as $username$_work_lat,work_long as $username$_work_long | lookup identity_lookup_default_fields key as $username$ OUTPUTNEW watchlist as $username$_watchlist | eval mvappend_field_meval(tag,$username$_identity_tag),iden_mktime_meval($username$_startDate),`iden_mktime_meval($username$_endDate)

ctime=ctime($field$,"%m/%d/%Y %H:%M:%S")

I need to get the login time before it was inactive. Please help

0 Karma
1 Solution

Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

Contributor

This data is in the access_tracker lookup. Start with | inputlook access_tracker and drill down to what you need.

View solution in original post

0 Karma

Path Finder

Hi @xavierashe, I got this from the second2lastTime field.But where can I see the _raw logs for the logins made.

I checked the data model Authentication where I could see the latest login.Also when I checked for the login just before inactive I was not able to see it although the data model logs retention is for 1 year. Please suggest.

0 Karma

Contributor

Run tag=authentication user=username action=success | head 1 over all time. If that doesn't come back with anything then you might not have the raw data retained.

0 Karma

Path Finder

Thanks @xavierashe

0 Karma