Hi, trying to write some detection rules for my logs. I want to create a rule that detects if a user logs in from a previously not used IP address. My incoming logs look like:
{"uuid":"7f8738fe72a2074a8f65f9587","created":"2024-06-15T10:40:59.377855Z","event_type":"auth_logged_in_with_username","message":"User testuser with full name Test authenticated successfully.","context":{"os":{"name":"Windows","version":"10"},"location":"pending","platform":{"name":"Windows","version":"10"},"user_uuid":"1f22f51e5d8383e12b9ae6a","ip_address":"192.168.13.13","user_agent":"Mozilla/5.0 (Windows NT 11.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","user_is_staff":"False","user_username":"testuser","user_full_name":"Test","user_token_lifetime":"None"}}
I want to basically take the uuid and context.ip_address, and search current data if there will be a match or not. Any tips on how to achieve this? I see nothing that can be used for this in the rule detection creation.