Alert with a grouped field (user) and a further grouping (country) which is counted

Hello,

I was trying to figure out how to create an alert if a user has logged in from more than 1 country in 2 hours.

This would need to group the field “user”, then inside of that result a further grouping on the field “ip_address_country_code”, so that I can count the differenct countries.

For example with log entries like these:

user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: UK
user: smith, ip_address_country_code: UK

user: brown, ip_address_country_code: DE
user: brown, ip_address_country_code: DE
user: brown, ip_address_country_code: ES

user: jones: ip_address_country_code: MX
user: jones: ip_address_country_code: MX
user: jones: ip_address_country_code: MX

The user “smith” has logged in from 2 countries → alert
The user “brown” has logged in from 2 countries → alert
The user “jones” has logged in from 1 country → no alert

I’ve also tried the Airbus Plugin “Aggregation Count Alert Condition” (GitHub - airbus-cyber/graylog-plugin-aggregation-count: Alert condition plugin for Graylog to perform aggregation), but that don’t cover what I wanted. I can group fields and also have a distinction field, but that counts a field like ip_address_country_code with values US, US, US, UK, UK as 5 countries.

Does somebody have an idea how so solve that problem?

Thanks very much in advance,
Robert

@robertbln
I believe this can be done with regular expression (regex) or GROK pattern to create the fields needed
and pipeline to sort things out. I totally get what you want to do and I havent done this with the free version of Graylog, but I think Graylog Enterprise version might be able to do this for you with less work.