Re: User login from suspicious country

debjit_k · ‎10-19-2022

Hi,

im working on new use case, but was stuck in few things.

I want to create a use case logic to monitors whenever user/IP are trying to access to log in from non authorize country.

example a use is support to log in from Berlin but he or she is log in from Chicago.

My ask

1. Is it possible from Splunk end to implement such use case
2. If yes what kind of logs we need to monitor such activity, is FW logs are enough?

3. What will be the query

thanks

debjit_k · ‎10-19-2022

Hi @gcusello ,

im having Splunk Security Essentials app on my Splunk I will try to check there.

I don’t understand the 2nd one public IP n lookup table..

It will be easy for me to understand if you could give me an sample query.

Thank you

gcusello · ‎10-19-2022

Hi @debjit_k,

using the above search you extract the Country from the ip address using the iplocation command, country that you can check using a rougue countries lookup.

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Iplocation

Ciao.

Giuseppe

gcusello · ‎10-19-2022

Hi @debjit_k,

ys, it's possible.

this use case is implemented in Enterprise Security (Premium App), in ES Content Updates (https://splunkbase.splunk.com/app/3449) and in Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435).

You need of a public IP and a lookup (available in Splunk) with the iplocation to associate an IP to a country.

Now I haven't these Use Cases available, but they should be something like this:

<your_search>
| iplocation src_ip 
| table src_ip Country

Ciao.

Giuseppe

Is it possible to monitor when User login from suspicious country?

other

search head clustering

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!