Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I monitor user activity pattern search?

AL3Z
Builder
‎07-10-2023 09:48 AM

Hi,

I'm trying to figure out the query  to identify when users are connecting to the VPN or not.

Labels (2)
Labels
0 Karma
Reply

AL3Z
Builder
‎07-12-2023 07:51 PM

@yuanliu 
I apologize for not providing adequate clarification earlier.

Actually when user is on VPN you will see below events

Okta + cisco or Anyconnect

 when user is on on-prem you will see only one event

Okta

When user logon from office he is on okta other than office he logon via vpn i.e okta+vpn
  if there are multiple occurrences of logon on the same day  then it should show on -prem & vpn .

*with out okta connecting to vpn is not possible *

Thanks

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-13-2023 03:01 AM
Actually when user is on VPN you will see below events

Okta + GP or Anyconnect

 when user is on on-prem you will see only one event

Okta

I interpret this as the 2nd scenario in my previous post.  Have you tried this?

 

index=xyz sourcetype=Okta* ((eventType=user.* displayMessage = "User single sign on to app")
  OR (targetAppAlternateId = "cisco*" OR targetAppAlternateId = "anyconnect*) earliest=-30d
| eval logon = case(match(displayMessage, "User single sign on to app"), "Okta", match(targetAppAlternateId, "anyconnect|Cisco"), "VPN")
| bin span=1d@d _time
| stats values(logon) as logon by _time userid
| eval connectivity_type = if(logon == "Okta", if(logon == "VPN", "VPN", "On-prem"), "none")

 

 (I removed the anomaly handling but otherwise it's the same.)  Please post output if differs from desired results (with illustration of desired results), also illustrate raw events. (If anonymized, make sure to validate JSON.  The first posted sample is invalid.)

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-10-2023 11:05 AM

It is not immediately clear which field will indicate connection to Okta and which that to Cisco/Anyconnect.  So the following will just perform a match with _raw.  The best would be to narrowly match designated fields. (One reason this is unclear is because the sample data you give is no longer valid JSON because of some inaccuracy during your anonymization.  It would help if you can diagnose JSON, or at the minimum use a pretty print before doing anonymization so volunteers can make an educated guess.  But in this problem, it shouldn't matter too much because you already know which fields are of interest.)

<your search> earliest=-30d
| eval connect_state = if(match(_raw, "okta"), if(match(_raw, "cisco|anyconnect"), "VPN", "On-prem"), "none")
| timechart span=1d@d values(connect_state) as connect_state

Is this something you are looking for?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...