Hi,
im working on new use case, but was stuck in few things.
I want to create a use case logic to monitors whenever user/IP are trying to access to log in from non authorize country.
example a use is support to log in from Berlin but he or she is log in from Chicago.
My ask
1. Is it possible from Splunk end to implement such use case
2. If yes what kind of logs we need to monitor such activity, is FW logs are enough?
3. What will be the query
thanks
Hi @gcusello ,
im having Splunk Security Essentials app on my Splunk I will try to check there.
I don’t understand the 2nd one public IP n lookup table..
It will be easy for me to understand if you could give me an sample query.
Thank you
Hi @debjit_k,
using the above search you extract the Country from the ip address using the iplocation command, country that you can check using a rougue countries lookup.
For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Iplocation
Ciao.
Giuseppe
Hi @debjit_k,
ys, it's possible.
this use case is implemented in Enterprise Security (Premium App), in ES Content Updates (https://splunkbase.splunk.com/app/3449) and in Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435).
You need of a public IP and a lookup (available in Splunk) with the iplocation to associate an IP to a country.
Now I haven't these Use Cases available, but they should be something like this:
<your_search>
| iplocation src_ip
| table src_ip Country
Ciao.
Giuseppe