v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →

Hub

Plugins Mods Docs Home

Plugins

grendel-consulting/kolide

steampipe plugin install grendel-consulting/kolidesteampipe plugin install grendel-consulting/kolide

kolide_admin_user kolide_audit_log kolide_auth_log kolide_check kolide_deprovisioned_person kolide_device kolide_device_group kolide_device_group_device kolide_device_open_issue kolide_exemption_request kolide_issue kolide_package kolide_person kolide_person_group kolide_person_open_issue kolide_person_registered_device kolide_registration_request

Table: kolide_auth_log

Lists the authentication attempts occurring when a user tries to sign into an App protected by Kolide Device Trust.

Examples

Basic info

select
  timestamp,
  person_name,
  initial_status,
  result
from
  kolide_auth_log;

List all attempts from the past day

select
  timestamp,
  person_name,
  initial_status,
  result
from
  kolide_auth_log
where
  timestamp > date_trunc('day', current_date) - interval '1 day';

List all failed attempts performed by a specific user

select
  timestamp,
  initial_status,
  result
from
  kolide_auth_log
where
  person_name = 'Dennis Nedry'
  and result = 'Fail';

Schema for kolide_auth_log

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
agent_version	text	=, ~~	Version of the Kolide Agent running on the endpoint, if known.
browser_name	text	=, ~~	Common name of the browser used to initiate the session, subject to the limitations and accuracy of browser detection.
browser_user_agent	text		User agent information for the browser used to initiatie this session, subject to the limitations and accuracy of browser detection.
city	text	=, ~~	Name of the city that the session originated from, determined by IP addres and subject to the limitations of IP geocoding.
country	text	=, ~~	Name of the country that the session originated from, determined by IP addres and subject to the limitations of IP geocoding.
device_id	text		Canonical identifier for the device this auth event relates to.
events	jsonb		Events that occured during this authentication session
id	text	=	Canonical identifier for this auth event.
initial_status	text		Initial auth status of the device attempting authentication, one of All_Good, Will_Block, Blocked or Unknown if no device was detected.
ip_address	text	=, ~~	IP address of the request intiating this auth event, may be IPv4 or IPv6.
issues_displayed	jsonb		List of issue titles and blocking status that were displayed to the end user
person_email	text		Email of the user triggering this auth event.
person_id	text		Canonical identifier for the user this auth event relates to.
person_name	text		Name of the user triggering this auth event.
result	text		Result of the authentication attempt, either Success or Fail.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
timestamp	timestamp with time zone	=, >, <	When this event started.
title	text		Display name for this event.