splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 28 LAB · LAB 28 — CLOUD DETECTION· week 4
Build cloud detections — impossible travel and MFA fatigue on Okta.
- ›Run pre-loaded impossible-travel SPL.
- ›Run MFA-fatigue SPL.
- ›List 3 more cloud detections you'd build first.
Hint: country_count > 1 within 1h = impossible travel. Always cross-check VPN logs first.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2