Badge activity monitoring
In your organization, employees must swipe a badge to enter any building and some secure spaces. Access to locations depends on an employee's role. You work in your organization's SOC and monitoring badge activity is part of regular security protocols. This search takes data logged from RFID / Proximity badge readers, enriches it with facilities and logging information, and then shows activity for a designated badge.
Required data
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Physical card reader data for call detail records
- A CSV or KV lookup file that maps badge error codes to a status
- A CSV or KV lookup file that maps badge reader IDs to their location
- A CSV or KV lookup file that maps user badge IDs to user information
Procedure
- Ensure your lookup file is uploaded to your Splunk deployment.
- If needed, adjust field names to match what is available in your lookup files.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| sourcetype=<physical card reader logs> | lookup <error code to status mapping> errorCode OUTPUTNEW status | lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description | lookup <badge to user info mapping> cardId AS badgeId OUTPUTNEW firstName lastName emailAddress employeeId note officeId | search employeeId="25020002" | fields - badgereaderId,envAlarm,errorCode,powerStatus | eval fullName = firstName+" "+lastName | fields _time badgeId employeeId fullName officeId description status note | rename badgeId AS "Badge ID #" employeeId AS "Employee Number" fullName AS "Employee Name" officeId AS "Home Office" description AS "Card Reader Location" status AS "Read Status" note AS "Additional Notes.."
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| sourcetype=<physical card reader logs> |
Search only your physical card reader data. |
| lookup <error code to status mapping> errorCode OUTPUTNEW status |
Look up the error codes and output the associated status for each. |
| lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description |
Look for matches between the badgereaderId field in your events and the readerID field in the <badge reader ID to location> lookup table. When matches are found, output the values in the readerID field into a field called description. |
| lookup <badge to user info mapping> cardId AS badgeId OUTPUTNEW firstName lastName emailAddress employeeId note officeId |
Look for matches between the badgeId field in your events and the cardId field in the <badge to user info> lookup table. When matches are found, output the values from the lookup fields shown. |
| search employeeId="25020002" |
Search for a specific employee ID number. |
| fields - badgereaderId,envAlarm,errorCode,powerStatus |
Remove the fields shown from the results. |
| eval fullName = firstName+" "+lastName |
Concatenate the first and last name fields into a single value called fullName . |
| fields _time badgeId employeeId fullName officeId description status note |
Display only the fields shown in the search results. |
| rename badgeId AS "Badge ID #" employeeId AS "Employee Number" fullName AS "Employee Name" officeId AS "Home Office" description AS "Card Reader Location" status AS "Read Status" note AS "Additional Notes.." |
Rename the fields as shown for better readability. |
Next steps
This search may be used for a variety of reasons such as activity logging, compliance, regulatory reporting, and HR related requests.
Finally, you might be interested in other processes associated with the Monitoring badges for facilities access use case.