Hi All,
I'm trying to create a search, to potentially be made into a monitoring rule later on.
What I am trying to achieve is a way to compare if a user has logged into his machine from a wildly different IP address. This will be using external IP addresses only.
As an example I want to know if a user logged into the estate from an IP which wasn't the same or similar as the previous day.
| User | Today | Yesterday |
| User A | 155.123.1.1 | 155.123.1.1 |
| User B | 155.124.1.2 | 155.125.20.2 |
| User C | 155.166.2.5 | 22.18.254.56 |
In the table able, I have 3 users, user A and B have logged into pretty similar IP's although user B has logged in from a different one today ( this often happens in our logs ). What I am more wanting to see is User C, who has logged into from a completely subnet IP and is not similar to their IP from the previous day.
This is what I have so far:
index=foo (earliest=-1d@d latest=now())
| eval TempClientIP=split(ForwardedClientIpAddress,",")
| eval ClientIP=mvindex(TempClientIP,0)
| eval ClientIP1=mvindex(TempClientIP,1)
| eval ClientIP2=mvindex(TempClientIP,2)
| search NOT ClientIP=10.*
| where LIKE("ClientIP","ClientIP")
| eval when=if(_time<=relative_time(now(), "@d"), "Yesterday", "Today")
| chart values(ClientIP) over user by when
| where Yesterday!=Today
Some context regarding the search the ForwardedClientIpAddress field has 3 items inside, ClientIP + ClientIP1 are the same address, ClientIP2 is the end internal address. ClientIP can be an internal address, which is why there is a NOT to remove it from the searches.
Any help would be very much appreciated.
Thanks
