Trying to build a query that will return values in the event of multiple userIDs attempting to login from a single IP. (looking for someone from an IP address trying a user list).
Time for the query would/could be an hour or a day. If it could be rolling e.g. From the time X when initial login attempt from IP a.b.c.d for userID 'SAM' occurs - in the next 30 minutes are 2 more attempts to login from same IP a.b.c.d attempted for userID not-equal to 'SAM'
I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.
I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.
I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names.
what should i write if i need to put a time interval of within 30 mins? like ex: bucket span=30m _time(is this correct?)
Thank you. This works. I knew there was a way, just not creative enough to get there