- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get ADFS Location Login Lookup based on IP ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?
Why is this search not returning the iplocation of the ip addresses. It is not the most efficient search, but right now I am just trying to get it to work for iplocation lookup. This search would run every 5 minutes for the last 5 minutes and alert on any country that does not = United States. I do not have that in the search string because right now I am just trying to get a result.
index="wineventlog" sourcetype="WinEventLog:Security" host=adfs*
(EventCode=299 OR EventCode=410 OR EventCode=403 OR EventCode=500 OR EventCode=501)
| rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)"
| rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\."
| transaction Activity_ID Instance_ID maxpause=10s
| rex field=Message "SAIF\\\(?<domain_uid>.*).*"
| search domain_uid=*
| rex field=Message "(?<clientip>\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)"
| dedup clientip
| dedup X_MS_Forwarded_Client_IP
| makemv delim="," X_MS_Forwarded_Client_IP
| eval alltheips=mvappend(clientip, x_ms_forwarded_client_ip)
| mvexpand alltheips
| iplocation alltheips
| stats values(Keywords),values(City),values(Region) ,values(Country),values(alltheips),values(ip_count),values(Activity_ID),values(Instance_ID),values(X_MS_Client_User_Agent),values(User_Agent),values(_time) by domain_uid,_time
suggestions would be helpful. This is very similar to what the following two posts are trying to do.
https://answers.splunk.com/answers/454144/is-there-a-splunk-app-or-add-on-that-will-help-rea.html
https://answers.splunk.com/answers/215994/how-do-i-find-active-directory-usernames-logging-i.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,if you want to troubleshoot this search I would suggest not to run entire search instead run single single query and add queries thereafter and see where you do not get results. It would be very helpful
for eg.
run this search see if everything is extracted properly or not
index="wineventlog" sourcetype="WinEventLog:Security" host=adfs*
(EventCode=299 OR EventCode=410 OR EventCode=403 OR EventCode=500 OR EventCode=501)
| rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)"
| rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\."
and then add further query one by one
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why does some people not using google maps? check this https://ipdetectives.io/ is there a problem with google?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For me it returns results up to line 7, were you able to figure this out?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
