I'm struggling to find a way to detect users from logging in from 2 different countries within a timeframe. I have the userID which is the users email address they are using to log in, and I have the clientIP, which I'm using geolookup to find the country they are logging in from, but I'm not sure how to compare my results to see if they are logging in from 2 different locations.
The query in currently using is:
| json field=_raw "UserId", "ClientIP", "Operation"
| where Operation="UserLoggedIn"
| lookup country_name from geo://location on ip = ClientIP
| Count as eventCount by UserID, ClientIP, country_name
Any help would be much appreciated. Thanks
Please sign in to leave a comment.