Dashboards & Visualizations

How to set up an alert to detect login abuse and credential leaks using geographical and timing data?

patpro
Path Finder

Hello,

I'm a SPLUNK beginner and I would need some help finding a way to achieve my goal.
I gather various login events: user login on the SSO web portal, POP/IMAP access, SSH login, etc. Each kind of event comes from a different source, but for every one I get a timestamp, a user login, and an IP address.
I would like to be able to detect when:

  • the same user login is used from two (or more) locations,
  • far from each other (say 500km),
  • in a given time window (say 5 hours).

I've found similar interests in calculation of distance between events here on splunk>answers, but none goes as far as what I need. The calculation itself is only one aspect. I'm confident SPLUNK can handle this, but I'm not sure about the bigger picture. I have no idea how to proceed to create a dynamic time window for each successful user login, for example.

Ultimately I need the process to act as a real-time trigger for security alert.

I'm pretty sure it's very complex, and I don't expect a all-in-one solution. Any help is greatly appreciated.

1 Solution

patpro
Path Finder

I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.

http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information

Now I just need to learn how to create an alert based on query result.

View solution in original post

patpro
Path Finder

I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.

http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information

Now I just need to learn how to create an alert based on query result.

sedward5
Engager

Thanks for sharing my blog. 😃

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...