https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429215#M5562 <P>couple of accepted answers in this portal that leads to this blog:<BR /> <A href="http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/">http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/</A></P> <P>here are the answers:<BR /> <A href="https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html">https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html</A><BR /> <A href="https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html">https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html</A></P> <P>hope it helps</P> Tue, 30 Apr 2019 00:00:03 GMT adonio 2019-04-30T00:00:03Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429212#M5559 <P>Hello,</P> <P>We have multiple international locations (Japan, Italy, Spain ect...) and are looking to identify events that occur outside a 50 mile radius from each location using their latitude and longitude. The end goal is to set different thresholds for these sites. Id imagine ill need to create a lookup for each locations latitude and longitude for the query to reference. </P> <P>I'm not exactly sure where to begin and hope you guys can point me in the right direction. </P> Mon, 29 Apr 2019 18:46:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429212#M5559 bbraun 2019-04-29T18:46:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429213#M5560 <P>Have you looked access anomalies dashboard which is available as part of user activity monitoring? Geographically Improbable Accesses - <A href="https://docs.splunk.com/Documentation/ES/5.3.0/User/UserRisk#Access_Anomalies">https://docs.splunk.com/Documentation/ES/5.3.0/User/UserRisk#Access_Anomalies</A></P> Mon, 29 Apr 2019 20:26:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429213#M5560 lakshman239 2019-04-29T20:26:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429214#M5561 <P>yea, I figured I could steal logic from the Correlation Search as a plan B. I was hoping someone had already tackled this issue since I dont have a lot of experience building queries. </P> Mon, 29 Apr 2019 20:51:15 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429214#M5561 bbraun 2019-04-29T20:51:15Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429215#M5562 <P>couple of accepted answers in this portal that leads to this blog:<BR /> <A href="http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/">http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/</A></P> <P>here are the answers:<BR /> <A href="https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html">https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html</A><BR /> <A href="https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html">https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html</A></P> <P>hope it helps</P> Tue, 30 Apr 2019 00:00:03 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Identifying-events-that-originate-greater-than-50-miles-from-a/m-p/429215#M5562 adonio 2019-04-30T00:00:03Z