Detect Account Sharing

…. | stats dc(src_ip) as ip_count by user

purpose:

Detect Users who login from multiple IP's / User account Sharing

requirements:

Login logs with Username + Source IP field extractions

comments:

  • … - first search for something, maybe with logon/login etc. and review if there are the proper logs for logins and field extractions that are working
  • Do stats to show the distinct count of different source ip's used per user | stats dc(src_ip) as ip_count by user