Solved: Re: Report all Logon Activity != United States

itsmevic · ‎01-12-2021

I'd like to pull a logon report that shows me any logon activity that is != to the United States. Any help is greatly appreciated.

General_Talos · ‎01-12-2021

Try this

| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where *   (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user  
|  `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"

You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use | iplocation <field_name>

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation

View solution in original post

General_Talos · ‎01-12-2021

Try this

| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where *   (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user  
|  `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"

You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use | iplocation <field_name>

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation

itsmevic · ‎01-12-2021

Thank you!

Report all Logon Activity != United States

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!