Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Identifying compliant logins - including last login time.

DLevine_
Explorer
‎12-06-2024 08:46 AM

Working on supplementing a search we are using to implement conditional access policies. The search identifies successful logins and produces a percentage of compliant logins over a period. What I am trying to add, is the last login time which is identified by the "createdDateTime" in the logs. 

Here is the current search: 
index="audit" sourcetype="signin" userPrincipalName="*domain.com" status.errorCode=0
| eval DeviceCompliance='deviceDetail.isCompliant'
| chart count by userPrincipalName DeviceCompliance
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| table userPrincipalName compliant total percent

I have tried adding / modifying pipes like "stats latest(createdDateTime) by userPrincilaName compliant total percent" but this is inserting the time into the true / false fields. I feel that I am modifying the data too much up front and maybe need to change around the piping order perhaps? All suggestions welcomed.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-06-2024 08:23 PM

Now this is a well-defined problem.  As you suspected, you will have to manipulate data one way or another  if you want this chart format.  So here is one option

 

index="audit" sourcetype="signin" userPrincipalName="*domain.com" status.errorCode=0
| rename "deviceDetail.isCompliant" as DeviceCompliance
| stats count latest(createdDateTime) as lastLogin by userPrincipalName DeviceCompliance
| eventstats max(lastLogin) as lastLogin by userPrincipalName
| tojson userPrincipalName lastLogin
| chart sum(count) as count over _raw by DeviceCompliance
| fillnull true false
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| spath
| table userPrincipalName compliant total percent lastLogin

 

Here is an emulation to test this:

 

index = _audit action IN (artifact_deleted, quota)
| eval action = if(action == "quota", "true", "false")
| rename user AS userPrincipalName, action AS DeviceCompliance, _time as createdDateTime
| eval createdDateTime = strftime(createdDateTime, "%FT%H:%M:%S")
``` the above emulates
index="audit" sourcetype="signin" userPrincipalName="*domain.com" status.errorCode=0
| rename "deviceDetail.isCompliant" as DeviceCompliance
```

 

Combine these, I get

userPrincipalNamecomplianttotalpercentlastLogin
yliu46461002024-12-05T22:04:13
splunk-system-user13439234.1836734693877562024-12-06T03:06:08

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-06-2024 10:00 AM

Two critical question you haven't answered:

  1. What is defined as "last login time" in relation to DeviceCompliance?  Is it the very last regardless of compliance?  Or is it the last time in each compliance state?
  2. How do you want to display this value in your presentation?  Use a mockup table to illustrate.

 

0 Karma
Reply
Solved! Jump to solution

DLevine_
Explorer
‎12-06-2024 10:43 AM

Thanks for the reply. 

1. The logs identify a 'createdDateTime' for each login entry. There is no direct relationship to compliance, however, I am searching for successful logins in the search, then defining what percentage of those are compliant.  So, here I am trying to get the very last attempt, regardless of compliance. 

2.Ideally the table would look something like this:

userPrincipalName

Compliant

Total

Percent

lastLogin

Joe.Camel@domain.com

4

4

100

2024-12-06T18:14:50Z

Drake.Mallard@domain.com

1

4

25

2024-12-05T22:56:25Z

Jane.Doe@domain.com

0

8

0

2024-11-25T07:13:22Z

 

Where the 'lastLogin' column is the entry for the very last 'createdDateTime' login entry per user.

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-06-2024 08:23 PM

Now this is a well-defined problem.  As you suspected, you will have to manipulate data one way or another  if you want this chart format.  So here is one option

 

index="audit" sourcetype="signin" userPrincipalName="*domain.com" status.errorCode=0
| rename "deviceDetail.isCompliant" as DeviceCompliance
| stats count latest(createdDateTime) as lastLogin by userPrincipalName DeviceCompliance
| eventstats max(lastLogin) as lastLogin by userPrincipalName
| tojson userPrincipalName lastLogin
| chart sum(count) as count over _raw by DeviceCompliance
| fillnull true false
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| spath
| table userPrincipalName compliant total percent lastLogin

 

Here is an emulation to test this:

 

index = _audit action IN (artifact_deleted, quota)
| eval action = if(action == "quota", "true", "false")
| rename user AS userPrincipalName, action AS DeviceCompliance, _time as createdDateTime
| eval createdDateTime = strftime(createdDateTime, "%FT%H:%M:%S")
``` the above emulates
index="audit" sourcetype="signin" userPrincipalName="*domain.com" status.errorCode=0
| rename "deviceDetail.isCompliant" as DeviceCompliance
```

 

Combine these, I get

userPrincipalNamecomplianttotalpercentlastLogin
yliu46461002024-12-05T22:04:13
splunk-system-user13439234.1836734693877562024-12-06T03:06:08
Reply
Solved! Jump to solution

DLevine_
Explorer
‎12-13-2024 06:06 AM

Thank you, this does work wonderfully. I am still learning and not wanting to be spoon-fed. 
Can you explain why you chose to json at the point you did and what is this portion of the piping doing? 

| chart sum(count) as count over _raw by DeviceCompliance

 The rest of it makes complete sense when I work through it out loud.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2024 03:26 PM

Glad it works out.  JSON allows for semantic expression.  The more traditional "Splunk" trick is to use string concatenation then split after stats.  tojson command is present in all Splunk versions; in this case, it is also very concise.

If you remove the rest of search after that chart, you'll see something like this:

_rawfalsetrue
{"lastLogin":"2024-12-12T23:42:47","userPrincipalName":"yliu"} 28
{"lastLogin":"2024-12-13T00:58:38","userPrincipalName":"splunk-system-user"}290150

The intent is to construct a chart that will render the desired table layout while retaining all the data needed to produce final presentation. (This is why I ask for a mockup table so I know how you want to present data.  Presentation does influence solution.)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...