Security

see users logging in from more than one country

New Member

I would like to only show users loging into multiple countrys. How would i manipulate this search to do that?

index="index" "Login succeeded for" | iplocation sip | stats count(sip) AS ipCount by sslvpnusername, sip, _time, Country, City | where ipCount >=1 | table _time, sslvpnusername, sip, Country, City | dedup sip

I get a similar table:

time sslvpnuser_name sip country city
time user1 ip Country City
time user2 ip Country City
time user3 ip Country City
time user3 DIFip DIFCountry DIFCITY

Tags (2)
0 Karma
1 Solution

Influencer

append this to your search

| eventstats dc(country) as COUNT by sslvpnuser_name | where COUNT > 1

View solution in original post

0 Karma

Influencer

append this to your search

| eventstats dc(country) as COUNT by sslvpnuser_name | where COUNT > 1

View solution in original post

0 Karma

New Member

Perfect! Thank you very much!

0 Karma