Detect user login with different IP address

Im seeking to implement alerting for a scenario, where I want to detect if a user logs in from a previously not used IP address. My logs come in the following format:

{"uuid":"7f8738fe72a2074a8f65f9587","created":"2024-06-15T10:40:59.377855Z","event_type":"auth_logged_in_with_username","message":"User testuser with full name Test authenticated successfully.","context":{"os":{"name":"Windows","version":"10"},"location":"pending","platform":{"name":"Windows","version":"10"},"user_uuid":"1f22f51e5d8383e12b9ae6a","ip_address":"","user_agent":"Mozilla/5.0 (Windows NT 11.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","user_is_staff":"False","user_username":"testuser","user_full_name":"Test","user_token_lifetime":"None"}}

So basically I want to do a search of my data with the context.user_uuid and context.ip_address fields and check if there were previous entries before, and generate an alert if there werent. I tried OpenSearch prior, and attempted to implement this same scenario but was not able to do so. Now I'm wondering how can I achieve something like this with Elastic.

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance. See What is OpenSearch and the OpenSearch Dashboard? | Elastic for more details.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Hi @Maeris , welcome to the community.

It looks like new terms detection rule could be a solution.

As per definition:

  • New terms: Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a host.ip and that have never been observed together before).

Here you can find how to create it: Create a detection rule | Elastic Security Solution [8.14] | Elastic

For you case, I think you would need to define context.user_uuid and context.ip_address fields as new terms in rule configuration.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.