Splunk Search

How can I monitor user activity pattern search?

AL3Z
Builder

Hi,

I'm trying to figure out the query  to identify when users are connecting to the VPN or not.

Labels (2)
0 Karma

AL3Z
Builder

@yuanliu 
I apologize for not providing adequate clarification earlier.

Actually when user is on VPN you will see below events

Okta + cisco or Anyconnect

 when user is on on-prem you will see only one event

Okta

When user logon from office he is on okta other than office he logon via vpn i.e okta+vpn
  if there are multiple occurrences of logon on the same day  then it should show on -prem & vpn .

*with out okta connecting to vpn is not possible *

Thanks

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Actually when user is on VPN you will see below events

Okta + GP or Anyconnect

 when user is on on-prem you will see only one event

Okta

I interpret this as the 2nd scenario in my previous post.  Have you tried this?

 

index=xyz sourcetype=Okta* ((eventType=user.* displayMessage = "User single sign on to app")
  OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*) earliest=-30d
| eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect|Cisco"), "VPN")
| bin span=1d@d _time
| stats values(logon) as logon by _time userid
| eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

 

 (I removed the anomaly handling but otherwise it's the same.)  Please post output if differs from desired results (with illustration of desired results), also illustrate raw events. (If anonymized, make sure to validate JSON.  The first posted sample is invalid.)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

It is not immediately clear which field will indicate connection to Okta and which that to Cisco/Anyconnect.  So the following will just perform a match with _raw.  The best would be to narrowly match designated fields. (One reason this is unclear is because the sample data you give is no longer valid JSON because of some inaccuracy during your anonymization.  It would help if you can diagnose JSON, or at the minimum use a pretty print before doing anonymization so volunteers can make an educated guess.  But in this problem, it shouldn't matter too much because you already know which fields are of interest.)

<your search> earliest=-30d
| eval connect_state = if(match(_raw, "okta"), if(match(_raw, "cisco|anyconnect"), "VPN", "On-prem"), "none")
| timechart span=1d@d values(connect_state) as connect_state

Is this something you are looking for?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...