Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I detect when a new IP is used by a user ?

ctaf
Contributor
‎12-30-2015 12:46 AM

Hello,

I have a search that find all the IPs used by each user. I would like to run this search periodically so that if a new IP is used by a user, I receive an alert. I was think about storing the results in a CSV and comparing the result of the following search with that CSV. But is it efficient ?

Also, I am not sure how to save it as a CSV since there can be several IPs for one user:

user1, ip1, ip2
user2, ip1
...

Any ideas ?

Thanks

EDIT:

I managed to progress. I used a join with a subsearch:

... distinct_count(src_ip) values(src_ip) AS IP earliest=-1d@d latest=@d by user | rename distinct_count(Web.src) AS count | fields user, count, IP | join user [ ... distinct_count(src_ip) values(src_ip) AS IP_old from earliest=-22d@d latest=-1d@d by user | rename distinct_count(Web.src) AS count_old | fields user, count_old, IP_old] | makemv delim=" " IP_old | where IP!=IP_old

But I don't know how to compare the multi-values field "IP" and the multi-values field "IP_old". I would like to keep only the event where IPs in "IP" are new compared to "IP_old".

Any ideas ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-31-2015 03:02 PM

You can do this:

First create a CSV for what you have seen so far:

... | stats dc(src_ip) AS numIPs values(src_ip) AS IPs BY user | nomv IPs | outputcsv IPsByUser.csv

Next, use this to compare:

 .... table src_ip user | eval type="NEW" | append [| inputcsv IPsByUser.csv | makemv delim=" " IPs | mvexpand IPs | rename IPs as src_ip | eval type="OLD"] | stats dc(type) AS numTypes values(*) AS * BY src_ip user

The above base search gives the fully merged set (full join). To get what you need, add this to it:

| where numTypes="1" AND type="NEW"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-31-2015 03:02 PM

You can do this:

First create a CSV for what you have seen so far:

... | stats dc(src_ip) AS numIPs values(src_ip) AS IPs BY user | nomv IPs | outputcsv IPsByUser.csv

Next, use this to compare:

 .... table src_ip user | eval type="NEW" | append [| inputcsv IPsByUser.csv | makemv delim=" " IPs | mvexpand IPs | rename IPs as src_ip | eval type="OLD"] | stats dc(type) AS numTypes values(*) AS * BY src_ip user

The above base search gives the fully merged set (full join). To get what you need, add this to it:

| where numTypes="1" AND type="NEW"
0 Karma
Reply
Solved! Jump to solution

kv
Explorer
‎12-14-2022 08:12 PM

Hi Woodcock,

Could you explain how it detects the new IP using your command? I can view the results but am not understanding the working part of the command.

 

Thanks In advance

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-04-2016 02:44 AM

Oh it works great !

Just a remark, you mistype "user" at the end of the 2nd command (you typed "host").

And I changed "table src_ip user" by tstat command to use summary data.

Thank you very much !

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-05-2016 09:35 AM

I fixed that mistake; thanks for pointing it out to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...