kolide_admin_userkolide_audit_logkolide_auth_logkolide_checkkolide_deprovisioned_personkolide_devicekolide_device_groupkolide_device_group_devicekolide_device_open_issuekolide_exemption_requestkolide_issuekolide_packagekolide_personkolide_person_groupkolide_person_open_issuekolide_person_registered_devicekolide_registration_request
Table: kolide_auth_log
Lists the authentication attempts occurring when a user tries to sign into an App protected by Kolide Device Trust.
Examples
Basic info
select timestamp, person_name, initial_status, resultfrom kolide_auth_log;
List all attempts from the past day
select timestamp, person_name, initial_status, resultfrom kolide_auth_logwhere timestamp > date_trunc('day', current_date) - interval '1 day';
List all failed attempts performed by a specific user
select timestamp, initial_status, resultfrom kolide_auth_logwhere person_name = 'Dennis Nedry' and result = 'Fail';
Schema for kolide_auth_log
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
agent_version | text | =, ~~ | Version of the Kolide Agent running on the endpoint, if known. |
browser_name | text | =, ~~ | Common name of the browser used to initiate the session, subject to the limitations and accuracy of browser detection. |
browser_user_agent | text | User agent information for the browser used to initiatie this session, subject to the limitations and accuracy of browser detection. | |
city | text | =, ~~ | Name of the city that the session originated from, determined by IP addres and subject to the limitations of IP geocoding. |
country | text | =, ~~ | Name of the country that the session originated from, determined by IP addres and subject to the limitations of IP geocoding. |
device_id | text | Canonical identifier for the device this auth event relates to. | |
events | jsonb | Events that occured during this authentication session | |
id | text | = | Canonical identifier for this auth event. |
initial_status | text | Initial auth status of the device attempting authentication, one of All_Good, Will_Block, Blocked or Unknown if no device was detected. | |
ip_address | text | =, ~~ | IP address of the request intiating this auth event, may be IPv4 or IPv6. |
issues_displayed | jsonb | List of issue titles and blocking status that were displayed to the end user | |
person_email | text | Email of the user triggering this auth event. | |
person_id | text | Canonical identifier for the user this auth event relates to. | |
person_name | text | Name of the user triggering this auth event. | |
result | text | Result of the authentication attempt, either Success or Fail. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
timestamp | timestamp with time zone | =, >, < | When this event started. |
title | text | Display name for this event. |