This alert is triggered when a specific user registered from multiple IP addresses during a single monitoring interval or a defined period of activity.
Name: Multiple IP addresses used by a user
Status (default): disabled
Detector: built-in, non-SQL
“Multiple IP addresses used by user *user_name* .”
“The total IP addresses used by the user: *number_of_IPs* in last *number_of_minutes* minutes.”
This alert does not track the activity of clients that use IPv6 addresses.
- Activity threshold (number of IP addresses - number)
The number of IP addresses to trigger the alert. Default: 5.
- Activity timeout (minutes - number)
The number of additional minutes over which the condition is measured. The condition is measured over the length of one monitoring interval plus the number of minutes specified here, rounded down to an integer number of monitoring intervals. Default:
0. The default value means that the condition is measured over single monitoring intervals. Entering a value of, for example, 7 and assuming that the monitoring interval is configured to 5 minutes, would cause an additional 5 minutes to be added to the time over which the condition is measured.