How to pass a user ID to a new query?

rip_leroi · ‎03-01-2022

I'm attempting to build a search around Okta authentication logs. I want to run a query to check for any Multi factor update/change, collect the user ID and pass that to another search where I see the geolocation data where the User has authenticated previously over a specific time span. Essentially, I'm trying to build a search to see if a user that requested an MFA change is doing it from a different geolocation than they normally authenticate from.

The query below shows all users that have have a MFA change with their corresponding geolocation data. Is there a way to pass the user ID(s) to a different search where I can look at 7 days worth of their authentication activity to see if the geolocation matches?

I've researched sub-searches but that doesn't work because I need the user ID first but the subsearch runs first and I don't have the user ID yet. I looked at map which seems like it's the best solution, but there a lot of warnings about it being resource intensive. If anyone can point me in the right direction, it would be very much appreciated.

index=okta eventType="user.mfa.factor.update" | stats values(actor.id), values(client.geographicalContext.State)

yuanliu · ‎03-02-2022

It can help other people to help if you can illustrate how the "another search" looks like, especially as you mentioned resource as a concern.

sub-searches but that doesn't work because I need the user ID first but the subsearch runs first and I don't have the user ID yet.

Why not use that illustrated query that returns users with MFA geolocation change as subsearch, then?

How to pass a user ID to a new query?

join

other

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!