Hello,
Im seeking to implement alerting for a scenario, where I want to detect if a user logs in from a previously not used IP address. My logs come in the following format:
{"uuid":"7f8738fe72a2074a8f65f9587","created":"2024-06-15T10:40:59.377855Z","event_type":"auth_logged_in_with_username","message":"User testuser with full name Test authenticated successfully.","context":{"os":{"name":"Windows","version":"10"},"location":"pending","platform":{"name":"Windows","version":"10"},"user_uuid":"1f22f51e5d8383e12b9ae6a","ip_address":"192.168.13.13","user_agent":"Mozilla/5.0 (Windows NT 11.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","user_is_staff":"False","user_username":"testuser","user_full_name":"Test","user_token_lifetime":"None"}}
So basically I want to do a search of my data with the context.user_uuid and context.ip_address fields and check if there were previous entries before, and generate an alert if there werent. I tried OpenSearch prior, and attempted to implement this same scenario but was not able to do so. Now I'm wondering how can I achieve something like this with Elastic.
OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance. See What is OpenSearch and the OpenSearch Dashboard? | Elastic for more details.
(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )
It looks like new terms detection rule could be a solution.
As per definition:
New terms: Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a host.ip and host.id that have never been observed together before).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
)