[ Search] Finding the same user connecting to Okta...

mattdev · ‎06-23-2021

Currently trying to work out a search that would allow me to generate a notable event if a user has made successful connections to Okta from different IP's during within the same timespan. I tried searching the boards but couldn't come up with something that matched my scenario.

TLDR: How do I create the notable for when the same user has 2 or more sessions from different IP's?

Example:

UserA connects to okta and creates a session for 3 hours (12 pm - 3pm) from 1.1.1.1.
UserA connects to okta and creates a session for 6 hours (2pm - 8pm) from 2.2.2.2

I've tried concurrency, and have also tried using transaction based on sessions but can't seem to tie it together. I'm also just starting out with Splunk so i'm still learning it all. Any help would be appreciated.

index=okta eventtype=okta_log_authentication
| rename authenticationContext.externalSessionId as session
| transaction session startswith="user.session.start" endswith="user.session.end"
| streamstats count(session) AS TotalSession by src_ip, user
| search TotalSession>=2
| table _time src_ip user duration TotalSession

[ Search] Finding the same user connecting to Okta from Separate IPs

table

transaction

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio