Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Reporting

Reply

"User Login History & Device" report for NIOS 7.3.200

Adviser
Posts: 136
3493     1

This report is based on a "User Login History" report. In addition it contains information about a user's device and switch the user is connected to. This report is only for NIOS 7.3.200 and later.

Screen Shot 2016-05-11 at 12.02.29.png

<form>
  <label>User Login History &amp; Device</label>
  <description></description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time" searchWhenChanged="false">
      <label>Last Updated</label>
      <default>
        <earliest>-1w</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="ip_address">
      <label>IP Address</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="ip_address_str">*</set>
        </condition>
        <condition value="*">
          <set token="ip_address_str">ip_address="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="user_name">
      <label>User Name</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="user_name_str">*</set>
        </condition>
        <condition value="*">
          <set token="user_name_str">user_name="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="status">
      <label>User Status</label>
      <choice value="All">All</choice>
      <choice value="ACTIVE">Active</choice>
      <choice value="LOGOUT">Logged out</choice>
      <choice value="TIMEOUT">Timed out</choice>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="status_str">*</set>
        </condition>
        <condition value="*">
          <set token="status_str">status="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security                  $ip_address_str$                  $user_name_str$                  $status_str$                  

| eval user_name=user_name."@".domain 

| eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60) 

| eventstats latest(last_activeEpoch) as l_last_active by user_name, ip_address, login_time                 

 | eval status=if((last_activeEpoch=l_last_active) AND (status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE) &lt; now()),"TIMEOUT",status) , timeout_time=last_activeEpoch+TIMEOUT_VALUE , login_time1=strptime(login_time,"%Y-%m-%d %H:%M:%S")                                  

| join ip_address type=left [search index=ib_discovery source=ib:discovery:end_host_activity | rename end_host_ip_address as ip_address  ] 

| where (end_host_first_discovered-86400&lt;=login_time1 and end_host_last_discovered+86400&gt;timeout_time) OR isnull(end_host_last_discovered)

| sort -_time | eval last_active =if(logout_time!="*" OR logout_time&gt; last_active, logout_time,last_active)   | rename timestamp as Time, user_name as "User Name", login_time as "First Seen/Login Time", logout_time as "Logout Time", last_active as "Last Seen/Logout Time", last_updated as "Last Updated", ip_address as "IP Address", domain as "Domain", status as "User Status", end_host_name as Hostname, end_host_mac_address as "MAC Address", end_host_os_version as OS, switch_name as "Network Device", switch_interface as "Network Interface", switch_vlan as Vlan           | table "Last Updated" "User Name" "IP Address" "MAC Address" Hostname "First Seen/Login Time"  "Last Seen/Logout Time"    "Network Device"  "Network Interface"  Vlan "User Status"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="endhost_ip"></unset>
            </condition>
          </progress>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <option name="wrap">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
        <drilldown>
          <condition field="*">
            <set token="endhost_ip">$row.IP Address$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$endhost_ip$">
        <title>Endhost and Connection Information</title>
        <search>
          <query>source=ib:discovery:end_host_activity index=ib_discovery                  $endhost_ip$                  | sort -end_host_last_discovered                  | fillnull value=""                  | dedup end_host_mac_address end_host_ip_address end_host_name end_host_network_view end_host_device_vendor end_host_device_model end_host_os_version switch_name switch_vendor switch_model switch_os_version switch_ip_address switch_interface switch_vlan end_host_first_discovered                  | eval end_host_last_discovered=strftime(end_host_last_discovered,"%Y-%m-%d %H:%M:%S")                  | eval end_host_first_discovered=strftime(end_host_first_discovered,"%Y-%m-%d %H:%M:%S")                  | rename end_host_mac_address as "MAC Address" end_host_ip_address as "IP Address" end_host_first_discovered as "First Seen" end_host_last_discovered as "Last Seen" end_host_name as "Name" end_host_network_view as "Network View" switch_name as "Device Name" switch_vendor as "Device Vendor" switch_model as "Device Model" switch_os_version as "Device OS Version" switch_ip_address as "Device IP Address" switch_interface as "Device Interface" switch_vlan as "Device Vlan"                  | table "MAC Address" "IP Address" "First Seen" "Last Seen" "Network View" "Device Name" "Device Vendor" "Device Model" "Device OS Version" "Device IP Address" "Device Interface" "Device Vlan"                  | sort -_time +str("MAC Address")</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

BR,

Vadim

Re: "User Login History & Device" report for NIOS 7.3.200

RHamoud_1
Techie
Posts: 1
3494     1

Thanks man you are the best...Do you thinks we can include the same infromation for the DNS FW report ??

Spoiler
 

Re: "User Login History & Device" report for NIOS 7.3.200

Adviser
Posts: 136
3494     1

Yep

Showing results for 
Search instead for 
Do you mean 

Recommended for You