Hello,
I am currently using the following syntax to retrieve details of IP addresses that was used to by multiple accounts to log in. The search time range is currently dynamic and can be simply adjusted by modifying the time range picker.
index="main" sourcetype="logs"
| iplocation RemoteAddr
| stats dc(SignonUserId) as UniqueAccounts by RemoteAddr
| where UniqueAccounts > 1
| sort -UniqueAccounts
I’m looking for a way that will report back the results only when the UniqueAccounts is greater than 2 AND there was no previous login activity by RemoteAddr prior to today. So for example, if it found 1.1.1.1 has been periodically used over the last 7+ days, then it would not pop up as a result when it found the IP address was used by 2 unique accounts to login today. Please let me know if you have any questions.
I was able to resolve this using the following syntax:
index="main" sourcetype="logs"
| iplocation RemoteAddr
| stats dc(SignonUserId) as RecentUniqueLogins by RemoteAddr
| where RecentUniqueLogins > 1
| appendcols
[ search index="main" sourcetype="logs" earliest=-30d@d latest=@d
| iplocation RemoteAddr
| stats dc(SignonUserId) as TotalUniqueLogins by RemoteAddr ]
| stats sum(RecentUniqueLogins) as RL sum(TotalUniqueLogins) as TL by RemoteAddr
| where RL = TL
| fields RemoteAddr, RL, TL, Country, Region, City
| rename RemoteAddr as "IP Address", RL as "Yesterday Unique Logins", TL as "Total Unique Logins", Region as "Region/State"
I was able to resolve this using the following syntax:
index="main" sourcetype="logs"
| iplocation RemoteAddr
| stats dc(SignonUserId) as RecentUniqueLogins by RemoteAddr
| where RecentUniqueLogins > 1
| appendcols
[ search index="main" sourcetype="logs" earliest=-30d@d latest=@d
| iplocation RemoteAddr
| stats dc(SignonUserId) as TotalUniqueLogins by RemoteAddr ]
| stats sum(RecentUniqueLogins) as RL sum(TotalUniqueLogins) as TL by RemoteAddr
| where RL = TL
| fields RemoteAddr, RL, TL, Country, Region, City
| rename RemoteAddr as "IP Address", RL as "Yesterday Unique Logins", TL as "Total Unique Logins", Region as "Region/State"