Solved: How to compare GeoLocation values of login events ...

olawalePS · ‎11-08-2022

I am trying to create an alert that triggers when the location field of a login event from a user changes. so if a user logged in from London earlier and then the next login comes from Dublin, I want an alert to trigger. The login event has a username and client.geoLocation.city field.

yuanliu · ‎11-09-2022

Assuming your search window is applicable for this kind of alert, you only need to count number of different client.geoLocation.city. Is this correct? Something like

| stats values(eval('client.geoLocation.city')) as geoLocations by username
| where mvcount(geoLocations) > 1

View solution in original post

yuanliu · ‎11-09-2022

Assuming your search window is applicable for this kind of alert, you only need to count number of different client.geoLocation.city. Is this correct? Something like

| stats values(eval('client.geoLocation.city')) as geoLocations by username
| where mvcount(geoLocations) > 1

How to compare GeoLocation values of login events for each user to previous logins?

eval

fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases