Hi All, I'm trying to create a search, to potentially be made into a monitoring rule later on. What I am trying to achieve is a way to compare if a user has logged into his machine from a wildly di...
See more...
Hi All, I'm trying to create a search, to potentially be made into a monitoring rule later on. What I am trying to achieve is a way to compare if a user has logged into his machine from a wildly different IP address. This will be using external IP addresses only. As an example I want to know if a user logged into the estate from an IP which wasn't the same or similar as the previous day. User Today Yesterday User A 155.123.1.1 155.123.1.1 User B 155.124.1.2 155.125.20.2 User C 155.166.2.5 22.18.254.56 In the table able, I have 3 users, user A and B have logged into pretty similar IP's although user B has logged in from a different one today ( this often happens in our logs ). What I am more wanting to see is User C, who has logged into from a completely subnet IP and is not similar to their IP from the previous day. This is what I have so far: index=foo (earliest=-1d@d latest=now())
| eval TempClientIP=split(ForwardedClientIpAddress,",")
| eval ClientIP=mvindex(TempClientIP,0)
| eval ClientIP1=mvindex(TempClientIP,1)
| eval ClientIP2=mvindex(TempClientIP,2)
| search NOT ClientIP=10.*
| where LIKE("ClientIP","ClientIP")
| eval when=if(_time<=relative_time(now(), "@d"), "Yesterday", "Today")
| chart values(ClientIP) over user by when
| where Yesterday!=Today Some context regarding the search the ForwardedClientIpAddress field has 3 items inside, ClientIP + ClientIP1 are the same address, ClientIP2 is the end internal address. ClientIP can be an internal address, which is why there is a NOT to remove it from the searches. Any help would be very much appreciated. Thanks