Hello,
I was trying to figure out how to create an alert if a user has logged in from more than 1 country in 2 hours.
This would need to group the field “user”, then inside of that result a further grouping on the field “ip_address_country_code”, so that I can count the differenct countries.
For example with log entries like these:
user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: US
user: smith, ip_address_country_code: UK
user: smith, ip_address_country_code: UK
user: brown, ip_address_country_code: DE
user: brown, ip_address_country_code: DE
user: brown, ip_address_country_code: ES
user: jones: ip_address_country_code: MX
user: jones: ip_address_country_code: MX
user: jones: ip_address_country_code: MX
The user “smith” has logged in from 2 countries → alert
The user “brown” has logged in from 2 countries → alert
The user “jones” has logged in from 1 country → no alert
I’ve also tried the Airbus Plugin “Aggregation Count Alert Condition” (GitHub - airbus-cyber/graylog-plugin-aggregation-count: Alert condition plugin for Graylog to perform aggregation), but that don’t cover what I wanted. I can group fields and also have a distinction field, but that counts a field like ip_address_country_code with values US, US, US, UK, UK as 5 countries.
Does somebody have an idea how so solve that problem?
Thanks very much in advance,
Robert