Security

Detecting Login Attempts both Successful and Not, that come from Outside of the United States

itsmevic
Communicator

Hello Splunkers! 

     I wanted to ask if anyone out there has some SPL that I can use as an alert to detect failed and successful logins detected that are !=United States? 

Thank you for your help! 

 

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @itsmevic,

You can use iplocation command to check the country, as a sample;

| iplocation src_ip
| search Country!="United States"
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @itsmevic,

You can use iplocation command to check the country, as a sample;

| iplocation src_ip
| search Country!="United States"
If this reply helps you an upvote is appreciated.