Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
701 Views 8 Replies Latest reply: Apr 25, 2013 12:01 AM by satbir RSS
satbir Apprentice 85 posts since
Oct 9, 2011
Currently Being Moderated

Apr 18, 2013 4:46 AM

Report of multiple login at MWR

Can we extract a report on MWR which can provide us users that were accessing internet on two or more machines at the same time? i would need time, client ips, username in the report.

 

Regards,

Satbir


SS
  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    1. Apr 18, 2013 10:42 AM (in response to satbir)
    Re: Report of multiple login at MWR

    Ultimately any solution is going to require 2 or 3 steps, and some manual observation, but you could find the information if you need it.

     

    To start we should clarify a few details.  First, by "at the same time" I will assume that you mean they are using two computers within a certain time delta.  Secondly, I will assume that these computers different proxies (MWG) and/or they each have distinguished IP addresses from the Web Gateway's point of view (meaning they are not NAT'd through a router to the same IP before the request reaches the MWG).

     

    So assuming those two points are true, then this is how you could do it.  For the "time delta", I recommend using summary data which already groups traffic into hourly buckets. Create a query with client IP, username, date, and hour.  Set the client IP to sort descending, and count distinct.

     

    count_ip.png

     

    Then when you run your report, users with the most distinct client IP addresses for the same hour will be at the top.  Since you also get the date and time, you can make a second detailed report using the appropriate date range and username to get the IP addresses and any other information.

     

    This is a test I did on a manually created test case.

    count_ip_result.png

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    3. Apr 22, 2013 8:39 AM (in response to satbir)
    Re: Report of multiple login at MWR

    For detailed data, you can go down to the second. Only Summary data is limited by the hour.

     

    I suppose the same report would work on detailed data, but including the exact time on the report would stop records from being combined.  The idea of my strategy is to do your investigaion in two steps.  The above was step 1, which shows which users had multiple IP addresses in the same hour.  It also shows the hour and date.  Then you use this information to make a second report to show any details you want.

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    5. Apr 23, 2013 8:50 AM (in response to satbir)
    Re: Report of multiple login at MWR

    depending on which columns you add to the query and the query type, not all options are available because they are not compatible. What is your goal for the detailed report? Give me an example of what you want it to look like and maybe I can help.

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    7. Apr 24, 2013 8:22 AM (in response to satbir)
    Re: Report of multiple login at MWR

    Web Reporter uses the access logs for reports, so you have to think about what information is in the logs.  There is no concept of "logged into two machines at the same time", but we can imagine that if a user was logged into two machines, and generating web traffic from both, then "at the same time" could mean getting a request from distinct client ip addresses that share the same user name within some time delta.  So we only need to set the time delta.  I used the date+hour.

     

    If you are trying to use detail data with the date/time for the time delta, then you have reduced the time difference to 1 second.  This isn't going to produce favorable results.  The hour bucket is probably as good as it gets.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points