I have build a query so far to look at users who log on from 2 different geo locations,
however
index=microsoft
| iplocation src_ip
| stats count dc(Country) as "Geo Location" by user
| search "Geo Location" > 1
However I cant seem to add more info like src dest action etc.
we cant use value's , so that option not available
is there another way to get all the info?
I do realize that I will get more than 1 ip address , but that is the use case
base search
| iplocation prefix=srcgeo_ src
| eventstats dc(srcgeo_Country) as countryCount by user
| where countryCount>1
base search
| iplocation prefix=srcgeo_ src
| eventstats dc(srcgeo_Country) as countryCount by user
| where countryCount>1