Archive

Identifying Users that connect from different ip simultaneously on same device

Explorer

Hello, i want to make an alert that trigger when on a specific device, a user connect simultaneously from different IP.
My search is as follow :

source="My Source" | stats dc(src_ip) as count,values(src_ip) as src_ip by user | where count > 1

Thanks in advance

Tags (1)
0 Karma

Explorer

@gcusello , thanks for your answer.
Actually my source is my device.

when i add the device ip as device_id, there is no result.
Actually the request work but send me result when the same user as different ip in different moment of the day (that is "normal"), but i want only same user_id with different IP simultaneously.

0 Karma

SplunkTrust
SplunkTrust

Hi @cnoulin,
in the BY cluase you have to add also the device identificator (name, id or IP).

source="My Source" 
| stats dc(src_ip) as count values(src_ip) as src_ip BY user device_id
| where count > 1

P.S.: use always the index clause in the main search, you'll have more performant searches.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Device is mandatory because yu could have that a user accesses to different devices.
So check the exact field name and put it in BY clause.
Ciao.
Giuseppe

0 Karma

Explorer

@gcusello not really in my case, because the source is a firewall and i want to identify external users that use same login from different ip and access the site via the firewall

0 Karma

SplunkTrust
SplunkTrust

Ok easier the aspect of the device!
you could use something like this

 source="My Source" 
 | stats dc(src_ip) as count values(src_ip) as src_ip earliest(_time) AS earliest latest(_time) AS latest BY user device_id
 | where count > 1 AND latest-earliest<300

where you can configure the maximum accepted delay between events (in my example 300 seconds).

Ciao.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!