steampipe plugin install grendel-consulting/kolide

Table: kolide_auth_log

Lists the authentication attempts occurring when a user tries to sign into an App protected by Kolide Device Trust.

Examples

Basic info

select
timestamp,
person_name,
initial_status,
result
from
kolide_auth_log;

List all attempts from the past day

select
timestamp,
person_name,
initial_status,
result
from
kolide_auth_log
where
timestamp > date_trunc('day', current_date) - interval '1 day';

List all failed attempts performed by a specific user

select
timestamp,
initial_status,
result
from
kolide_auth_log
where
person_name = 'Dennis Nedry'
and result = 'Fail';

Schema for kolide_auth_log

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
agent_versiontext=, ~~Version of the Kolide Agent running on the endpoint, if known.
browser_nametext=, ~~Common name of the browser used to initiate the session, subject to the limitations and accuracy of browser detection.
browser_user_agenttextUser agent information for the browser used to initiatie this session, subject to the limitations and accuracy of browser detection.
citytext=, ~~Name of the city that the session originated from, determined by IP addres and subject to the limitations of IP geocoding.
countrytext=, ~~Name of the country that the session originated from, determined by IP addres and subject to the limitations of IP geocoding.
device_idtextCanonical identifier for the device this auth event relates to.
eventsjsonbEvents that occured during this authentication session
idtext=Canonical identifier for this auth event.
initial_statustextInitial auth status of the device attempting authentication, one of All_Good, Will_Block, Blocked or Unknown if no device was detected.
ip_addresstext=, ~~IP address of the request intiating this auth event, may be IPv4 or IPv6.
issues_displayedjsonbList of issue titles and blocking status that were displayed to the end user
person_emailtextEmail of the user triggering this auth event.
person_idtextCanonical identifier for the user this auth event relates to.
person_nametextName of the user triggering this auth event.
resulttextResult of the authentication attempt, either Success or Fail.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
timestamptimestamp with time zone=, >, <When this event started.
titletextDisplay name for this event.