Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]
Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases
index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"
|rex field=_raw "(?<IP><IP regex>)"
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In