Basically what I need to do is compare a user's authentication request to their most recent session start request and alert when they are different.
Example -
example@email.com sessions started with IP 12.145.123.
example@email.com authentication request IP 12.145.123
example@email.com authentication request with IP 58.145.12.125
I would want to see that authentication request as an alert.
index=yours sourcetype=yours
| rex "(?<email>[\w.\-]+@[\w.\-]+)"
| rex "(?<msg>sessions started with IP|authentication request with IP)"
| rex "(?<ip>\d+\.\d+\.\d+\.\d+)"
| stats min(_time) as firstTime max(_time) as lastTime dc(msg) as auth dc(ip) as flag values(ip) as ip by email
| where flag > 1
| convert ctime(firstTime) ctime(lastTime)
Three rex
extract the fields from event. you should fix it .
Email with different ip is malicious, so these display by where flag >1
Perhaps this will help.
index=foo "authentication request with IP" NOT [ search index=foo "session started with IP" | head 1 | fields ip_address | format ]