Hello,
I'm a SPLUNK beginner and I would need some help finding a way to achieve my goal.
I gather various login events: user login on the SSO web portal, POP/IMAP access, SSH login, etc. Each kind of event comes from a different source, but for every one I get a timestamp, a user login, and an IP address.
I would like to be able to detect when:
I've found similar interests in calculation of distance between events here on splunk>answers, but none goes as far as what I need. The calculation itself is only one aspect. I'm confident SPLUNK can handle this, but I'm not sure about the bigger picture. I have no idea how to proceed to create a dynamic time window for each successful user login, for example.
Ultimately I need the process to act as a real-time trigger for security alert.
I'm pretty sure it's very complex, and I don't expect a all-in-one solution. Any help is greatly appreciated.
I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.
http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information
Now I just need to learn how to create an alert based on query result.
I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.
http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information
Now I just need to learn how to create an alert based on query result.
Thanks for sharing my blog. 😃