I am working with some WAF logs that provide a correlation from sourceIP to city_name, country_name, latitude, and longitude, but not state information. I am currently only looking at the United States.
I need to somehow enrich the data to help filter user logins by time and distance between last login or if there are parallel logins going on.
Please advise where I might start.
Thank you
hello there,
see these answers here:
https://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html
https://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html
which leads to this nice blog:
http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/
hope it helps
p.s. i think there is a pre-built search for it in ES look here:
http://docs.splunk.com/Documentation/ES/5.1.0/User/UserRisk#Dashboard_Panels_2
Thanks for the reply.
I don't have ES, but someone previously install maxmind.
A long time ago I used something to create this type of alert but I cannot find my notes.
When I find it I will post it.