Security

How to search concurrent logins from geographically distinct locations during the same time period?

dpoloche
Explorer

I want to find when a login is used from a significantly distinct location during the same time period. We are able to get latitude and longitude information just fine, but I'm having a hard time constructing the search string that would bring back the same login being used say in Chicago and LA. I searched the knowledge base without any luck.

Sample data below:

2015-03-02 12:40:30.403-0500
Context_ID=BFB0BA8D-627B-4EA0-983E-962F8D5E2B88
Login_Date=1425318030.403
Application_Name=app_name
User_ID=nnnnn
User_Name=uid1
User_Group_ID=group_name1
Group_Name=xxxxxx
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=42.90960000000001
Longitude=-78.8291
City=Buffalo
State=NY
Country=United States
PostalCode=
AreaCode=716
2015-03-02 12:40:28.903-0500
Context_ID=DD5DF112-2194-4F1C-AACF-364856CCBEDF
Login_Date=1425318028.903
Application_Name=app_name
User_ID=nnnnn
User_Name=uid2
User_Group_ID=group_name2
Group_Name=group_name2
Group_Tag_ID=nnnnnnnnnnn
Group_Type=Recipient
IPAddress=208.xx.xx.xx
Latitude=42.37219999999999
Longitude=-71.1787
City=Watertown
State=MA
Country=United States
PostalCode=02472
AreaCode=617
2015-03-02 12:40:28.357-0500
Context_ID=377AB0CF-0D24-4BDD-91BC-03DCF232ABA1
Login_Date=1425318028.357
Application_Name=app_name
User_ID=nnnnnnnn
User_Name=uid3
User_Group_ID=nnnnnn
Group_Name=group_name3
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=34.03309999999999
Longitude=-84.6011
City=Kennesaw
State=GA
Country=United States
PostalCode=30144
AreaCode=770
1 Solution

bridgeythegeek
Engager

I think this existing answer will probably do you want:
How to set up an alert to detect login abuse and credential leaks using geographical and timing data?
http://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html

View solution in original post

bridgeythegeek
Engager

I think this existing answer will probably do you want:
How to set up an alert to detect login abuse and credential leaks using geographical and timing data?
http://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html

rphillips_splk
Splunk Employee
Splunk Employee

what field(s) does "login" correspond to?
Are you trying to determine if, at this Login_Date User_ID=x located in State=GA tried to login to this host while also having an event with the same Login_Date User_ID = x State=NY ? if not, can you spell out the scenario you are after as it is not completely clear in your question.

try this:
index=x sourcetype=y | stats values(host) as host values(User_ID) as User_ID values(State) as State by Login_Date|eval statecount=mvcount(State)|search statecount>1

or this ( and control time with time picker 😞
index=x sourcetype=y | stats values(User_ID) as User_ID values(State) as State by host|eval statecount=mvcount(State)|search statecount>1

mvcount will count the values in a multivalue field which you can use to see if more than 1 exist in your result

0 Karma

bridgeythegeek
Engager

I think the OP is referring to what is known as the 'Impossible Login' problem: a user account is seen to login in geographically different locations and therefore heavily indicative of compromised credentials. I too am trying to figure out how to achieve this in Splunk.

dpoloche
Explorer

That is correct, I want to detect 'impossible logins'. The blog http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/ pointed out by you has exactly what I needed.

Thank you!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...