Dashboards & Visualizations

How to set up an alert to detect login abuse and credential leaks using geographical and timing data?

patpro
Path Finder

Hello,

I'm a SPLUNK beginner and I would need some help finding a way to achieve my goal.
I gather various login events: user login on the SSO web portal, POP/IMAP access, SSH login, etc. Each kind of event comes from a different source, but for every one I get a timestamp, a user login, and an IP address.
I would like to be able to detect when:

  • the same user login is used from two (or more) locations,
  • far from each other (say 500km),
  • in a given time window (say 5 hours).

I've found similar interests in calculation of distance between events here on splunk>answers, but none goes as far as what I need. The calculation itself is only one aspect. I'm confident SPLUNK can handle this, but I'm not sure about the bigger picture. I have no idea how to proceed to create a dynamic time window for each successful user login, for example.

Ultimately I need the process to act as a real-time trigger for security alert.

I'm pretty sure it's very complex, and I don't expect a all-in-one solution. Any help is greatly appreciated.

1 Solution

patpro
Path Finder

I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.

http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information

Now I just need to learn how to create an alert based on query result.

View solution in original post

patpro
Path Finder

I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.

http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information

Now I just need to learn how to create an alert based on query result.

sedward5
Engager

Thanks for sharing my blog. 😃

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...