Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I monitor user activity pattern search?

AL3Z
Builder
‎07-10-2023 09:48 AM

Hi,

I'm trying to figure out the query  to identify when users are connecting to the VPN or not.

Labels (2)
Labels
0 Karma
Reply

AL3Z
Builder
‎07-12-2023 07:51 PM

@yuanliu 
I apologize for not providing adequate clarification earlier.

Actually when user is on VPN you will see below events

Okta + cisco or Anyconnect

 when user is on on-prem you will see only one event

Okta

When user logon from office he is on okta other than office he logon via vpn i.e okta+vpn
  if there are multiple occurrences of logon on the same day  then it should show on -prem & vpn .

*with out okta connecting to vpn is not possible *

Thanks

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-13-2023 03:01 AM
Actually when user is on VPN you will see below events

Okta + GP or Anyconnect

 when user is on on-prem you will see only one event

Okta

I interpret this as the 2nd scenario in my previous post.  Have you tried this?

 

index=xyz sourcetype=Okta* ((eventType=user.* displayMessage = "User single sign on to app")
  OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*) earliest=-30d
| eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect|Cisco"), "VPN")
| bin span=1d@d _time
| stats values(logon) as logon by _time userid
| eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

 

 (I removed the anomaly handling but otherwise it's the same.)  Please post output if differs from desired results (with illustration of desired results), also illustrate raw events. (If anonymized, make sure to validate JSON.  The first posted sample is invalid.)

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-10-2023 11:05 AM

It is not immediately clear which field will indicate connection to Okta and which that to Cisco/Anyconnect.  So the following will just perform a match with _raw.  The best would be to narrowly match designated fields. (One reason this is unclear is because the sample data you give is no longer valid JSON because of some inaccuracy during your anonymization.  It would help if you can diagnose JSON, or at the minimum use a pretty print before doing anonymization so volunteers can make an educated guess.  But in this problem, it shouldn't matter too much because you already know which fields are of interest.)

<your search> earliest=-30d
| eval connect_state = if(match(_raw, "okta"), if(match(_raw, "cisco|anyconnect"), "VPN", "On-prem"), "none")
| timechart span=1d@d values(connect_state) as connect_state

Is this something you are looking for?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...