https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434100#M10208 <P>@JRamirezEnosys <BR /> Can you upvote and accept the answer if it's helped you? Thanks.</P> Fri, 09 Aug 2019 06:05:19 GMT jawaharas 2019-08-09T06:05:19Z https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434098#M10206 <P>Hi everybody,</P> <P>I was reading <A href="https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html">https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html</A> and I am trying to get a better and more simple query to find geographically improbable access.</P> <P>My environment is not as full as these, I have atm 3 variables</P> <P>subject=ID of the user<BR /> _time=timestamp (doh)<BR /> IP=IP address from where they have logged on<BR /> from IP I can obtain the fields "lat" and "lon"</P> <P>Then with some simple string magic I am looking at the following</P> <PRE><CODE>index=main eventtype="loginevents" subject=* | fields ip subject _time | iplocation ip | eval lat=tostring(lat), lon=tostring(lon) | eval latlon=lat.", ".lon | stats count by ip latlon </CODE></PRE> <P>My issue is that this results just give me basic statistic data, what i want is to compare the 2 last logins and see how far those 2 locations are, so it would be adding the previous login's lat and lon in different fields, any idea to apply this?</P> Wed, 07 Aug 2019 03:51:16 GMT https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434098#M10206 JRamirezEnosys 2019-08-07T03:51:16Z https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434099#M10207 <P>You can use below query based on <A href="https://en.wikipedia.org/wiki/Haversine_formula">Haversine_formula</A></P> <PRE><CODE>[BASE SEARCH] | dedup user_id, clientip | eval time1=_time | map maxsearches=99 search="search [BASE SEARCH] | eval clientip1=$clientip$, time1=$time1$, time2=_time | search user_id=$user_id$ clientip!=clientip1 | dedup user_id, clientip | rename clientip as clientip2" | where clientip1!=clientip2 | iplocation clientip1 | eval lat1=lat, lon1=lon, city1=City, country1=Country | iplocation clientip2 | eval lat2=lat, lon2=lon , city2=City, country2=Country | eval rlat1 = pi()*lat1/180, rlat2=pi()*lat2/180, rlat = pi()*(lat2-lat1)/180, rlon= pi()*(lon2-lon1)/180 | eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) | eval distance = 6371 * c | eval timestamp1=strftime(time1, "%y-%m-%d %H:%M:%S"), timestamp2=strftime(time2, "%y-%m-%d %H:%M:%S") | table user_id, timestamp1, clientip1, city1, country1, timestamp2,clientip2, city2, country2, distance | rename distance as "distance in KM" </CODE></PRE> <P><STRONG>Sample output:</STRONG><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7469iE1DB8AE3229452A9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 07 Aug 2019 05:44:02 GMT https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434099#M10207 jawaharas 2019-08-07T05:44:02Z https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434100#M10208 <P>@JRamirezEnosys <BR /> Can you upvote and accept the answer if it's helped you? Thanks.</P> Fri, 09 Aug 2019 06:05:19 GMT https://community.splunk.com/t5/Security/Geographically-improbable-Access-Using-iplocation/m-p/434100#M10208 jawaharas 2019-08-09T06:05:19Z