Hi Splunkers,
I recently set up a use case based of BIAS failure logins with a threshold limit of 9 logins per day according to my company requirements. Now, My management asking me to check if there are any out of the box Splunk features we could run against BIAS logs + Domain controller logs.
Any information regarding this would be helpful. Also, I'm trying to use
"iplocation"
Please describe the problems you are trying to solve regarding your BIAS logs and we may be able to offer suggestions for them.
Please post a new question about iplocation.
In the BIAS Logins check, is there any logic that alerts on "Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time)."?
Abnormal account activity is a broad topic for which Splunk has a dedicated product - UBA (Use Behavior Analytics).
The Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435) has example searches for geographically improbable access and access outside of business hours. You should be able to adapt them to your needs.