Security

How to search concurrent logins from geographically distinct locations during the same time period?

dpoloche
Explorer

I want to find when a login is used from a significantly distinct location during the same time period. We are able to get latitude and longitude information just fine, but I'm having a hard time constructing the search string that would bring back the same login being used say in Chicago and LA. I searched the knowledge base without any luck.

Sample data below:

2015-03-02 12:40:30.403-0500
Context_ID=BFB0BA8D-627B-4EA0-983E-962F8D5E2B88
Login_Date=1425318030.403
Application_Name=app_name
User_ID=nnnnn
User_Name=uid1
User_Group_ID=group_name1
Group_Name=xxxxxx
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=42.90960000000001
Longitude=-78.8291
City=Buffalo
State=NY
Country=United States
PostalCode=
AreaCode=716
2015-03-02 12:40:28.903-0500
Context_ID=DD5DF112-2194-4F1C-AACF-364856CCBEDF
Login_Date=1425318028.903
Application_Name=app_name
User_ID=nnnnn
User_Name=uid2
User_Group_ID=group_name2
Group_Name=group_name2
Group_Tag_ID=nnnnnnnnnnn
Group_Type=Recipient
IPAddress=208.xx.xx.xx
Latitude=42.37219999999999
Longitude=-71.1787
City=Watertown
State=MA
Country=United States
PostalCode=02472
AreaCode=617
2015-03-02 12:40:28.357-0500
Context_ID=377AB0CF-0D24-4BDD-91BC-03DCF232ABA1
Login_Date=1425318028.357
Application_Name=app_name
User_ID=nnnnnnnn
User_Name=uid3
User_Group_ID=nnnnnn
Group_Name=group_name3
Group_Tag_ID=nnnnnnnn
Group_Type=Recipient
IPAddress=xx.xx.xx.xx
Latitude=34.03309999999999
Longitude=-84.6011
City=Kennesaw
State=GA
Country=United States
PostalCode=30144
AreaCode=770
1 Solution

bridgeythegeek
Engager

I think this existing answer will probably do you want:
How to set up an alert to detect login abuse and credential leaks using geographical and timing data?
http://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html

View solution in original post

bridgeythegeek
Engager

I think this existing answer will probably do you want:
How to set up an alert to detect login abuse and credential leaks using geographical and timing data?
http://answers.splunk.com/answers/169873/how-to-set-up-an-alert-to-detect-login-abuse-and-c.html

View solution in original post

rphillips_splun
Splunk Employee
Splunk Employee

what field(s) does "login" correspond to?
Are you trying to determine if, at this Login_Date User_ID=x located in State=GA tried to login to this host while also having an event with the same Login_Date User_ID = x State=NY ? if not, can you spell out the scenario you are after as it is not completely clear in your question.

try this:
index=x sourcetype=y | stats values(host) as host values(User_ID) as User_ID values(State) as State by Login_Date|eval statecount=mvcount(State)|search statecount>1

or this ( and control time with time picker 😞
index=x sourcetype=y | stats values(User_ID) as User_ID values(State) as State by host|eval statecount=mvcount(State)|search statecount>1

mvcount will count the values in a multivalue field which you can use to see if more than 1 exist in your result

0 Karma

bridgeythegeek
Engager

I think the OP is referring to what is known as the 'Impossible Login' problem: a user account is seen to login in geographically different locations and therefore heavily indicative of compromised credentials. I too am trying to figure out how to achieve this in Splunk.

dpoloche
Explorer

That is correct, I want to detect 'impossible logins'. The blog http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information/ pointed out by you has exactly what I needed.

Thank you!

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!