Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to monitor when User login from suspicious country?

debjit_k
Path Finder
‎10-19-2022 05:22 AM

Hi,

im working on new use case, but was stuck in few things. 

I want to create a use case logic to monitors whenever user/IP are trying to access to log in from non authorize country. 
 
example a use is support to log in from Berlin but he or she is log in from Chicago. 

My ask

1. Is it possible from Splunk end to implement such use case
2. If yes what kind of logs we need to monitor such activity, is FW logs are enough?

3. What will be the query 

 

thanks 

Labels (1)
Labels
0 Karma
Reply

debjit_k
Path Finder
‎10-19-2022 05:46 AM

Hi @gcusello ,

im having Splunk Security Essentials app on my Splunk I will try to check there. 

I don’t understand the 2nd one public IP n lookup table.. 

It will be easy for me to understand if you could give me an sample query. 

Thank you 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-19-2022 07:06 AM

Hi @debjit_k,

using the above search you extract the Country from the ip address using the iplocation command, country that you can check using a rougue countries lookup.

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Iplocation

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-19-2022 05:33 AM

Hi @debjit_k,

ys, it's possible.

this use case is implemented in Enterprise Security (Premium App), in ES Content Updates (https://splunkbase.splunk.com/app/3449) and in Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435).

You need of a public IP and a lookup (available in Splunk) with the iplocation to associate an IP to a country.

Now I haven't these Use Cases available, but they should be something like this:

<your_search>
| iplocation src_ip 
| table src_ip Country

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...