I have the following search which creates a table showing the number VPN logins based on the location of the login.
<MySearch> | iplocation vpn_remote_ip | search Country="United States" | stats count by vpn_user City Region
vpn_user City Region count
User 1 Ashburn Virginia 2
User 1 Sacramento California 236
User 3 Ocala Florida 7
User 4 Baltimore Maryland 315
User 5 Edgewater Maryland 8
User 6 Baltimore Maryland 344
So, what I would like to do is have an alert be triggered for User 1 accessing the VPN from Ashburn, VA since they typically are logging in from Sacramento, CA for the majority of connections.
I feel like I may be able to use distinct count for this, but have been unable to get it to work.
Any suggestions or better ideas?
Try like this
<MySearch> | iplocation vpn_remote_ip | search Country="United States" | eval location=City.",".Region | stats count by vpn_user location | eventstats max(count) as max by vpn_user | where count!=max
View solution in original post