Solved: How can I alert on VPN users who are accessing the...

digital_alchemy · ‎05-26-2016

I have the following search which creates a table showing the number VPN logins based on the location of the login.

Current Search:

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | stats count by vpn_user City Region

Example output:

vpn_user           City               Region              count
User 1           Ashburn               Virginia         2
User 1           Sacramento         California          236
User 3             Ocala                 Florida             7
User 4             Baltimore             Maryland           315
User 5           Edgewater             Maryland            8
User 6             Baltimore             Maryland           344

So, what I would like to do is have an alert be triggered for User 1 accessing the VPN from Ashburn, VA since they typically are logging in from Sacramento, CA for the majority of connections.

I feel like I may be able to use distinct count for this, but have been unable to get it to work.

Any suggestions or better ideas?

somesoni2 · ‎05-26-2016

Try like this

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | eval location=City.",".Region | stats count by vpn_user location | eventstats max(count) as max by vpn_user | where count!=max

View solution in original post

somesoni2 · ‎05-26-2016

Try like this

<MySearch> | iplocation vpn_remote_ip | search Country="United States" | eval location=City.",".Region | stats count by vpn_user location | eventstats max(count) as max by vpn_user | where count!=max

How can I alert on VPN users who are accessing the VPN from an area outside their normal city?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases