Re: How to create an alert for login activity by s...

Log_wrangler · ‎07-10-2018

I am working with some WAF logs that provide a correlation from sourceIP to city_name, country_name, latitude, and longitude, but not state information. I am currently only looking at the United States.

I need to somehow enrich the data to help filter user logins by time and distance between last login or if there are parallel logins going on.

Please advise where I might start.

Thank you

adonio · ‎07-10-2018

hello there,

see these answers here:
https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html
https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html
which leads to this nice blog:
http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/

hope it helps

p.s. i think there is a pre-built search for it in ES look here:
http://docs.splunk.com/Documentation/ES/5.1.0/User/UserRisk#Dashboard_Panels_2

Log_wrangler · ‎07-11-2018

Thanks for the reply.
I don't have ES, but someone previously install maxmind.
A long time ago I used something to create this type of alert but I cannot find my notes.

When I find it I will post it.

How to create an alert for login activity by same userID, different geoLoc, within time range?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk