Currently trying to work out a search that would allow me to generate a notable event if a user has made successful connections to Okta from different IP's during within the same timespan. I tried searching the boards but couldn't come up with something that matched my scenario.
TLDR: How do I create the notable for when the same user has 2 or more sessions from different IP's?
Example:
I've tried concurrency, and have also tried using transaction based on sessions but can't seem to tie it together. I'm also just starting out with Splunk so i'm still learning it all. Any help would be appreciated.
index=okta eventtype=okta_log_authentication
| rename authenticationContext.externalSessionId as session
| transaction session startswith="user.session.start" endswith="user.session.end"
| streamstats count(session) AS TotalSession by src_ip, user
| search TotalSession>=2
| table _time src_ip user duration TotalSession