| rex "(?<email>[\w.\-]+@[\w.\-]+)"
| rex "(?<msg>sessions started with IP|authentication request with IP)"
| rex "(?<ip>\d+\.\d+\.\d+\.\d+)"
| stats min(_time) as firstTime max(_time) as lastTime dc(msg) as auth dc(ip) as flag values(ip) as ip by email
| where flag > 1
| convert ctime(firstTime) ctime(lastTime)
Three rex extract the fields from event. you should fix it .
Email with different ip is malicious, so these display by where flag >1