Skip to content

Instantly share code, notes, and snippets.

@rezamt

rezamt/README.md

Last active April 29, 2025 00:53
Show Gist options
  • Save rezamt/92a733e5be3225ab936f58dd078ed3d9 to your computer and use it in GitHub Desktop.
Save rezamt/92a733e5be3225ab936f58dd078ed3d9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Lookup invalid Authenication Method

| makeresults count=6
| streamstats count as _n
| eval method=case(
    _n=1,"Windows Hello for Business",
    _n=2,"Microsoft Authenticator push",
    _n=3,"Pincode",
    _n=4,"Microsoft Authenticator push",
    _n=5,"Microsoft Authenticator passwordless",
    _n=6,"Microsoft Authenticator passwordless"
  )
| lookup WhiteListed-Authentication-Methods Method AS method OUTPUT Method AS listed_method
| where isnull(listed_method)
| eval result = "Invalid Authentication Method detected: ".method
| table _time, result
Raw
gistfile1.txt
WhiteListed-Authentication-Methods.csv must be defined in Splunk Definition
Raw
WhiteListed-Authentication-Methods.csv
Method PrimaryAuthentication SecondaryAuthentication
Windows Hello for Business Yes MFA
Microsoft Authenticator push No MFA and SSPR
Microsoft Authenticator passwordless Yes No
Microsoft Authenticator passkey Yes MFA
Authenticator Lite No MFA
Passkey (FIDO2) Yes MFA
Certificate-based authentication (CBA) Yes MFA
Hardware OATH tokens (preview) No MFA and SSPR
Software OATH tokens No MFA and SSPR
External authentication methods (preview) No MFA
Temporary Access Pass (TAP) Yes MFA
Text Yes MFA and SSPR
Voice call No MFA and SSPR
QR code (preview) Yes No
Password Yes No
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment