AD query for successful login from multiple IP’s


1 comment

  • Official comment
    Nick Wilson

    Hi Terence,

    Something like this should get you started:

    _sourceCategory=Labs/OSSEC "authentication_success"
    | parse "User: * " as user
    | parse ") * ->" as ip_address
    | timeslice 5m 
    | count_distinct (ip_address) group by _timeslice, user
    | where _count_distinct > 1

    Can you try that out and let me know? Also, I encourage you to use a larger timeslice so that you have a higher chance of identifying violations. For example, if someone logs in from two different IP addresses within 10 minutes of each other, it wouldn't be identified here.

    Comment actions Permalink

Please sign in to leave a comment.