Splunk Search

[ Search] Finding the same user connecting to Okta from Separate IPs

mattdev
Loves-to-Learn Lots

Currently trying to work out a search that would allow me to generate a notable event if a user has made successful connections to Okta from different IP's during within the same timespan.  I tried searching the boards but couldn't come up with something that matched my scenario. 

TLDR: How do I create the notable for when the same user has 2 or more sessions from different IP's?

Example:

  • UserA connects to okta and creates a session for 3 hours (12 pm - 3pm) from 1.1.1.1. 
  • UserA connects to okta and creates a session for 6 hours (2pm - 8pm) from 2.2.2.2

I've tried concurrency, and have also tried using transaction based on sessions but can't seem to tie it together.   I'm also just starting out with Splunk so i'm still learning it all.  Any help would be appreciated.

 

index=okta eventtype=okta_log_authentication
| rename authenticationContext.externalSessionId as session
| transaction session startswith="user.session.start" endswith="user.session.end"
| streamstats count(session) AS TotalSession by src_ip, user
| search TotalSession>=2
| table _time src_ip user duration TotalSession

 

 

 

 

 

 

 

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...