tag=test* json -s UserId ClientIP
| sort by time asc
| geoip ClientIP.Location
| require Location // don't bother with IPs that cannot be resolved
| alias Location previousLocation TIMESTAMP prevTS ClientIP prevClientIP//alias set so we can keep them
| fuse -pushpop UserId (prevTS previousLocation prevClientIP) // key with new location using UserId
| geodist -u mi Location previousLocation //generate distance in miles
| diff TIMESTAMP prevTS as deltaT
| eval (if(deltaT > 0){miles_per_second=(float(distance)/(float(deltaT)/1000000000.0));}else{miles_per_second=0.0;})
| eval(miles_per_second > 0.2) // Filter to only those accounts moving at around mache 1 or faster
| table UserId ClientIP Location prevClientIP previousLocation distance deltaT miles_per_second
Large Upload/Downloads Per User
tag=365-sharepoint json UserId SourceFileName Operation=="FileDownloaded" ClientIP
| stats unique_count(SourceFileName) by UserId over 10m
| eval (unique_count > 50) //only show 50 files in 10 minutes
| table TIMESTAMP UserId unique_count ClientIP
Why should we make this change? (Business justification? What problem is the feature trying to solve?)
These are common markers for throwing alerts
Any other comments?
wire these into the alert system once those can be packaged in a kit
What is the enhancement to be made?
Add the following queries to the query library:
Impossible traveler
Large Upload/Downloads Per User
Why should we make this change? (Business justification? What problem is the feature trying to solve?)
These are common markers for throwing alerts
Any other comments?
wire these into the alert system once those can be packaged in a kit