I want to search for Okta Logs to find users that logged in from rare countries. So typically, users who logged from USA, UK, Australia is considered BAU but those from Kuwait, Lesotho, etc are rare. So far, I have done this.
index=* sourcetype="OktaIM2:log" eventType="user.session.start" outcome.result="success" client.geographicalContext.country!=null daysago=30
| stats values(user), values(client.ipAddress), values(actor.displayName) count by client.geographicalContext.country
| sort count
| where count < 20
It returned results like this which isnt that accurate. Like for the first row, it gives user 1 and user 2. My current search query gives total results of 20 logins from user 1, 2 and 3. So meaning user 1 could be 1 login, user 2 15 logins, user 3 5 logins.
Uzbekistan
user1
user2
user3
3
Slovakia
user1
1
What i want is to have at least more than 5 logins and less than 20 for that particular user to show that there is some activity ongoing. So user 2 for example who had 15 logins from rare country will be displayed, but user 1 who only had a login from the rare country will not be displayed. How do I get to this? Thanks.
... View more