Group same IPs used in time period by user

mobrienmoore1 · ‎03-27-2018

Hello,

I am trying to create a search where the same IP is used more than 50 times by the same email address. So far this is all that I have:

index=* sourcetype=* | stats count by ip | where count > 50

I've tried using various stats commands to add in the usernames, but nothing seems to be working. Any help would be appreciated.

elliotproebstel · ‎03-27-2018

Your current search will tell you if the same IP is seen in more than 50 events, regardless of email_address. Assuming the events contain both the email_address and IP, then this should work:

index=* sourcetype=* 
| stats count by email_address, ip 
| where count > 50

If the email_address and IP are not seen in the same event, we'd probably need to see some sample events to help structure a query.

mobrienmoore1 · ‎03-27-2018

Email addresses and IPs are in the same event. I first want to find all IPs used more than 50 times, then pull the email addresses out of those events where the IP has been found to have been used more than 50 times.

elliotproebstel · ‎03-27-2018

When you say "all IPs used more than 50 times", do you mean IPs that have generated at least 50 events in your logs? If so:

index=* sourcetype=*
| stats values(email_address) AS email_address, count by ip
| where count>50

This will return all IP addresses seen in more than 50 events and the email_address values associated with those IP addresses.

Group same IPs used in time period by user

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?