topic How to get ADFS Location Login Lookup based on IP address with iplocation region country and time? in Splunk Search

How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?

nathig — Fri, 05 Jan 2018 16:35:30 GMT

Why is this search not returning the iplocation of the ip addresses. It is not the most efficient search, but right now I am just trying to get it to work for iplocation lookup. This search would run every 5 minutes for the last 5 minutes and alert on any country that does not = United States. I do not have that in the search string because right now I am just trying to get a result.

index="wineventlog" sourcetype="WinEventLog:Security" host=adfs*
    (EventCode=299 OR EventCode=410 OR EventCode=403 OR EventCode=500 OR EventCode=501) 
| rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
| rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
| transaction Activity_ID Instance_ID maxpause=10s 
| rex field=Message "SAIF\\\(?<domain_uid>.*).*" 
| search domain_uid=* 
| rex field=Message "(?<clientip>\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)" 
| dedup clientip 
| dedup X_MS_Forwarded_Client_IP 
| makemv delim="," X_MS_Forwarded_Client_IP
| eval alltheips=mvappend(clientip, x_ms_forwarded_client_ip) 
| mvexpand alltheips
| iplocation alltheips
| stats values(Keywords),values(City),values(Region) ,values(Country),values(alltheips),values(ip_count),values(Activity_ID),values(Instance_ID),values(X_MS_Client_User_Agent),values(User_Agent),values(_time) by domain_uid,_time

suggestions would be helpful. This is very similar to what the following two posts are trying to do.
https://answers.splunk.com/answers/454144/is-there-a-splunk-app-or-add-on-that-will-help-rea.html
https://answers.splunk.com/answers/215994/how-do-i-find-active-directory-usernames-logging-i.html

Re: How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?

mayurr98 — Fri, 05 Jan 2018 18:17:49 GMT

Hey,if you want to troubleshoot this search I would suggest not to run entire search instead run single single query and add queries thereafter and see where you do not get results. It would be very helpful

for eg.
run this search see if everything is extracted properly or not

index="wineventlog" sourcetype="WinEventLog:Security" host=adfs*
     (EventCode=299 OR EventCode=410 OR EventCode=403 OR EventCode=500 OR EventCode=501) 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\."

and then add further query one by one

Re: How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?

jmjssplunkthing — Fri, 02 Mar 2018 01:17:12 GMT

For me it returns results up to line 7, were you able to figure this out?

Re: How to get ADFS Location Login Lookup based on IP address with iplocation region country and time?

rektdata — Thu, 09 May 2019 12:29:42 GMT

why does some people not using google maps? check this https://ipdetectives.io/ is there a problem with google?