Detect IP Address Change Alert

New Member

Basically what I need to do is compare a user's authentication request to their most recent session start request and alert when they are different.

Example - sessions started with IP 12.145.123. authentication request IP 12.145.123 authentication request with IP

I would want to see that authentication request as an alert.

Labels (1)
0 Karma

Ultra Champion
index=yours sourcetype=yours
| rex "(?<email>[\w.\-]+@[\w.\-]+)"
| rex "(?<msg>sessions started with IP|authentication request with IP)"
| rex "(?<ip>\d+\.\d+\.\d+\.\d+)"
| stats min(_time) as firstTime max(_time) as lastTime dc(msg) as auth dc(ip) as flag values(ip) as ip by email
| where flag > 1
| convert ctime(firstTime) ctime(lastTime)

Three rex extract the fields from event. you should fix it .
Email with different ip is malicious, so these display by where flag >1


Perhaps this will help.

index=foo "authentication request with IP" NOT [ search index=foo "session started with IP" | head 1 | fields ip_address | format ]
If this reply helps you, an upvote would be appreciated.
0 Karma