Alerting

How can I alert on VPN users who are accessing the VPN from an area outside their normal city?

digital_alchemy
Path Finder

I have the following search which creates a table showing the number VPN logins based on the location of the login.

Current Search:

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | stats count by vpn_user City Region

Example output:

vpn_user           City               Region              count
User 1           Ashburn               Virginia         2
User 1           Sacramento         California          236
User 3             Ocala                 Florida             7
User 4             Baltimore             Maryland           315
User 5           Edgewater             Maryland            8
User 6             Baltimore             Maryland           344

So, what I would like to do is have an alert be triggered for User 1 accessing the VPN from Ashburn, VA since they typically are logging in from Sacramento, CA for the majority of connections.

I feel like I may be able to use distinct count for this, but have been unable to get it to work.

Any suggestions or better ideas?

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | eval location=City.",".Region | stats count by vpn_user location | eventstats max(count) as max by vpn_user | where count!=max

View solution in original post

somesoni2
Revered Legend

Try like this

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | eval location=City.",".Region | stats count by vpn_user location | eventstats max(count) as max by vpn_user | where count!=max

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!