Detect IP Address Change Alert - Splunk Community

Alerting

Basically what I need to do is compare a user's authentication request to their most recent session start request and alert when they are different.

Example -
example@email.com sessions started with IP 12.145.123.
example@email.com authentication request IP 12.145.123
example@email.com authentication request with IP 58.145.12.125

I would want to see that authentication request as an alert.

index=yours sourcetype=yours
| rex "(?<email>[\w.\-]+@[\w.\-]+)"
| rex "(?<msg>sessions started with IP|authentication request with IP)"
| rex "(?<ip>\d+\.\d+\.\d+\.\d+)"
| stats min(_time) as firstTime max(_time) as lastTime dc(msg) as auth dc(ip) as flag values(ip) as ip by email
| where flag > 1
| convert ctime(firstTime) ctime(lastTime)

Three rex extract the fields from event. you should fix it .
Email with different ip is malicious, so these display by where flag >1

Perhaps this will help.

index=foo "authentication request with IP" NOT [ search index=foo "session started with IP" | head 1 | fields ip_address | format ]

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...