Watcher: Usecase: how to find users logging in from different locations using watcher?

Hi ,

I am pretty new to Watcher, and I had a curious use-case, I want to know if a user is logging into the machine from different geo-locations. I have the users logging info already dumped into ES and can see the logs on Kibana4. I have geoip plugin enabled for that index so I get the different geo-locations from where the users are logging into the machine. I can pick a user from the user Field I have in kibana for that Type of logs and can filter logs on that user, and finally can find out the logging in geo-locations for that user on Kibana.

I wanted to figure out a way that watcher can alert whenever it sees any user successfully logged in from multiple locations in a fixed period of time. I know the basic structure of Watcher (trigger, input, condition and action), furthermore I can also search for "SUCCESSFUL LOGINS" from ES but how can i use the list of users returned from the search , to iterate through each user and see the geo-location of login and if a user has logged in from different locations produce an alert?
Is there a way in watcher where I can use the returned payload from a search, iterate through it and perform a condition check on other fields (geo-location in this case) and perform an action?



the main question here seems to be, if you can write a query that returns the data needed. This depends on your data. Maybe you can write a query to get currently logged in users and run a terms aggregation on top with a min_count of 2, but this highly depends how your data looks like.

So, try to develop a working query first, that returns parseable results and then think about watcher and triggering.

Hope this makes sense.