×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
sovereign-03
New Member
Member since: ‎04-11-2023
‎04-11-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-11-2023
View All

Unbalanced quotes: How to create a search to ident...

by in Splunk Enterprise
‎04-11-2023 11:11 AM
‎04-11-2023 11:11 AM
I am in the process of trying to create a search to identify when clients have MFA enabled / disabled. the purpose of this search is to include date, time, device info, geo location.... basically everything needed so if a account was compromised or MFA was disabled longer then what's allowed you I can document and take appropriate action with client.       Index=* source=security_logs AND incident_id=0365 AND action=disable AND authentication_type=MFA time>=24h | table user, ip_address, inbound/outbound, time, date, duration | iplocation ip_address | stats latest(time_enabled) as time_enabled | eval days_disabled=round((now()-time_enabled)/(60*60*24)) | table user, ip_address, inbound/outbound, time, date, duration, ip_city, ip_country, days_disabled ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-11-2023 04:44 PM