Skip to main content

Working with risk analytics metrics - first time unique combination of user/country in past 30 days

  • January 28, 2025
  • 4 replies
  • 36 views
K
Forum|alt.badge.img+1

Hi all!

I am trying to create a rule that alerts if for the past 30 days, a unique combination of user/country is seen for the first time. This is what I came up with so far:

 

events: $selection.metadata.vendor_name = "Okta" $selection.metadata.event_type = "USER_LOGIN" $selection.security_result.detection_fields["legacyEventType"] = "core.user_auth.login_success" $userid = $selection.target.user.userid $country = $selection.principal.ip_geo_artifact.location.country_or_region match: $userid, $country over 1d outcome: $first_seen_today = max(metrics.auth_attempts_success( period:1h, window:today, metric:first_seen, agg:max, target.user.userid:$userid)) $first_seen_monthly = max(metrics.auth_attempts_success( period:1d, window:30d, metric:first_seen, agg:max, target.user.userid:$userid))

 

The problem begins when I add "principal.ip_geo_artifact.location.country_or_region:$country" to $first_seen_today and $first_seen_monthly - it returns results that don't make sense.

I would appreciate if someone can explain to me what am I missing here, and how to build the rule correctly. Thank you in advance.

4 replies

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • January 28, 2025

well....first off your missing a condition statement at the bottom from what you pasted here.   

And, if you could please share what you are seeing vs. what you are expecting to see that would be very helpful in moving this along.  Thank you!

K
Forum|alt.badge.img+1
  • Koifman
  • Author
  • New Member
  • January 28, 2025

well....first off your missing a condition statement at the bottom from what you pasted here.   

And, if you could please share what you are seeing vs. what you are expecting to see that would be very helpful in moving this along.  Thank you!


Thanks for the quick reply @dnehoda !

Regarding the condition statement, I omitted it intentionally, since I don't have any problems with that part.

Here are the results I see, after adding "principal.ip_geo_artifact.location.country_or_region:$country" to the metrics function (taken from the public Chronicle demo lab):

 

How do I need to interpret this? I can see that "mark.taylor/United States" combo is 0, both for daily and monthly, meaning that it did not occur a single time, but obviously it happened at least once since it shows up in the detections. When searching this combination manually, there are many results for the past month. I'm probably misunderstanding something, I just don't know why the results show 0 when there clearly are results.

I'll mention again, that my goal is to alert when a combination of a user/country is seen for the first time in the past 30 days.

Thanks!

 
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • January 28, 2025

Thanks for the quick reply @dnehoda !

Regarding the condition statement, I omitted it intentionally, since I don't have any problems with that part.

Here are the results I see, after adding "principal.ip_geo_artifact.location.country_or_region:$country" to the metrics function (taken from the public Chronicle demo lab):

 

How do I need to interpret this? I can see that "mark.taylor/United States" combo is 0, both for daily and monthly, meaning that it did not occur a single time, but obviously it happened at least once since it shows up in the detections. When searching this combination manually, there are many results for the past month. I'm probably misunderstanding something, I just don't know why the results show 0 when there clearly are results.

I'll mention again, that my goal is to alert when a combination of a user/country is seen for the first time in the past 30 days.

Thanks!

 

Hi @Koifman,

This could potentially be likely, as you are using the follow metric 'metrics.auth_attempts_success' which identifies USER_LOGIN event types, of which the security_result.action is 'ALLOW', it is likely that in the photo the events that are displaying '0' but are repeated, are because they are USER_LOGINS, however the security_result.action is not 'ALLOW'.

Within the same test instance, changing the metric to '

metrics.auth_attempts_total', we can see data for the results you've showed which are reporting as '0' (focusing on the 'FIRST_SEEN_MONTHLY')

 

rule UEBA_TEST { meta: author = "Ayman C" events: $selection.metadata.vendor_name = "Okta" $selection.metadata.event_type = "USER_LOGIN" $userid = $selection.target.user.userid $country = $selection.principal.ip_geo_artifact.location.country_or_region $userid = /lisa.cooper|mark.taylor/ match: $userid, $country over 1d outcome: $first_seen_today = max(metrics.auth_attempts_total( period:1h, window:today, metric:first_seen, agg:max, target.user.userid:$userid)) $first_seen_monthly = max(metrics.auth_attempts_total( period:1d, window:30d, metric:first_seen, agg:max, target.user.userid:$userid)) condition: $selection }

 

 

I hope that helps and solves the issue you're seeing

Kind Regards,

Ayman

K
Forum|alt.badge.img+1
  • Koifman
  • Author
  • New Member
  • January 29, 2025

Hi @Koifman,

This could potentially be likely, as you are using the follow metric 'metrics.auth_attempts_success' which identifies USER_LOGIN event types, of which the security_result.action is 'ALLOW', it is likely that in the photo the events that are displaying '0' but are repeated, are because they are USER_LOGINS, however the security_result.action is not 'ALLOW'.

Within the same test instance, changing the metric to '

metrics.auth_attempts_total', we can see data for the results you've showed which are reporting as '0' (focusing on the 'FIRST_SEEN_MONTHLY')

 

rule UEBA_TEST { meta: author = "Ayman C" events: $selection.metadata.vendor_name = "Okta" $selection.metadata.event_type = "USER_LOGIN" $userid = $selection.target.user.userid $country = $selection.principal.ip_geo_artifact.location.country_or_region $userid = /lisa.cooper|mark.taylor/ match: $userid, $country over 1d outcome: $first_seen_today = max(metrics.auth_attempts_total( period:1h, window:today, metric:first_seen, agg:max, target.user.userid:$userid)) $first_seen_monthly = max(metrics.auth_attempts_total( period:1d, window:30d, metric:first_seen, agg:max, target.user.userid:$userid)) condition: $selection }

 

 

I hope that helps and solves the issue you're seeing

Kind Regards,

Ayman


Hey @AymanC thanks for the reply!

I don't think this matters too much, since before your suggestion I was using 

 

 

$selection.security_result.detection_fields["legacyEventType"] = "core.user_auth.login_success"

 

 which also refers to events that are successful logins. Switching between using it and not using it (like you did with your query) does return the same amount of results - 21 for the past 7 days.
 
The more interesting question in my opinion, is the difference between:

 

$first_seen_monthly = max(metrics.auth_attempts_success( period:1d, window:30d, metric:first_seen, agg:max, target.user.userid:$userid))

 

 and between:

 

$first_seen_monthly = max(metrics.auth_attempts_success( period:1d, window:30d, metric:first_seen, agg:max, target.user.userid:$userid, principal.ip_geo_artifact.location.country_or_region:$country))

 

 and why, when using the 2nd version, I am getting weird results where the monthly value is 0, even though we know for certain that 0 doesn't make sense.
 
If I understand correctly, using just $userid in the metrics, will only check the user against the user/country combination obtained from the "match" section, so the check will not consider the country. For example, if the "match" section obtained "mark.taylor" / "United States", and the metrics check for the past 30 days sees "mark.taylor" / "NewCountry", the value will NOT be 0 like I want, since "mark.taylor" is the only value being checked - I hope I am able to explain it correctly.

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.