Splunk Search

Salesforceのログについて

satiku
New Member

Salesforceのログにて以下の要件でSPLを作成したいと考えております。

 

①1週間以上 、 毎日複数回ログインを失敗しているユーザ 
②同一IP で複数のユーザ ID に対してログインロックされているユーザの検知

 

どのようなSPLをかけばよいでしょうか。

 

Labels (1)
0 Karma

tscroggins
Influencer

@satiku 

(I am answering based on the translation provided by https://translate.google.com/.)

In the following examples, replace index=sfdc with your Salesforce index. If you are using Splunk Add-on for Salesforce, authentication events have tag=authentication.

Search for users who logged in two weeks ago but have not logged in during the last week:

 

 

index=sfdc tag=authentication user=* action=success earliest=-2w latest=-1w NOT [ search index=sfdc tag=authentication user=* action=success earliest=-1w latest=now | stats latest(_time) as _time by user | table user ]

 

 

I do not know what a locked user looks like in Salesforce logs, but if we assume login failures lead to locked users, we can look for failures for multiple users from the same source:

 

 

index=sfdc tag=authentication user=* action=failure
| eventstats dc(user) as user_count by src
| where user_count>1

 

 

These examples can be adapted to use the Authentication data model as well, but you would want to filter by the app field or another field specific to Salesforce.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...