Privileged Access Management (PAM) Admin is looking for a way to determine which A2A Alias(s) are being activity used.
They attempted to use the following report:
PAM UI >> Credentials >> Reports >> Account Requests
However since their purge policy is set to 7 days, the report only goes back 7 days.
PAM 4.1.x, 4.2.x
A2A 4.12.3
PAM Admin was integrating PAM with Splunk, so I advised to run the following search:
index=<your index> host=<pam server> metric "type=getAccount"
| rex "targetServerAlias=(?<targetServerAlias>[^ ]+)"
| search errorCode=0
| stats count by targetServerAlias
that will count how many times a successful A2A calls against a certain Alias was used.
In Splunk, you can also advise in the search criteria how far you want to go back. IE: 24 hours, one month, year to date, etc.