Hi! i have a report for users login in from different countries in the last 24 hours:
index="accesslogs" sourcetype=apilogs authIP=* | iplocation authIP | stats count(authIP) AS ipCount by authDato...
See more...
Hi! i have a report for users login in from different countries in the last 24 hours:
index="accesslogs" sourcetype=apilogs authIP=* | iplocation authIP | stats count(authIP) AS ipCount by authDato, authIP, _time, Country, City, | where ipCount>=1 | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") | table authDato, Country, City, authIP, _time | dedup authIP | eventstats dc(Country) as COUNT by authDato | where COUNT > 1
The results has this format:
authdato | Country | City | authIP | _time
246423 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:10:06
246423| Brazil | Sao Paulo | xxx.xxx.xxx.xxx | 2023-03-07 10:10:34
246423 | Argentina | Caseros | xxx.xxx.xxx.xxx | 2023-03-06 10:10:34
1004629 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 10:05:34
1004629 | Argentina | Tucuman | xxx.xxx.xxx.xxx | 2023-03-06 16:34:06
1422262 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:42:32
1422262 | Brazil | Uberlandia | xxx.xxx.xxx.xxx | 2023-03-07 09:46:32
the goal is to detect compromised accounts (user A cant connect on the same day from different countries).
This report is sorted by authDato (its our username).
I need to sort it by _time (newest event first), but i need the report still grouped by authdato:
Like:
1422262 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:42:32
1422262 | Brazil | Uberlandia | xxx.xxx.xxx.xxx | 2023-03-07 09:46:32
246423 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 12:10:06
246423| Brazil | Sao Paulo | xxx.xxx.xxx.xxx | 2023-03-07 10:10:34
246423 | Argentina | Caseros | xxx.xxx.xxx.xxx | 2023-03-06 10:10:34
1004629 | Paraguay | Asuncion | xxx.xxx.xxx.xxx | 2023-03-07 10:05:34
1004629 | Argentina | Tucuman | xxx.xxx.xxx.xxx | 2023-03-06 16:34:06