Splunk Enterprise Security

Splunk Telecommunication App to ingest RADIUS Account START|STOP record

lionel_orishane
New Member

Hi there,

I have a scenario that we are trying to design for a Telco to improve on overall IP/MSISDN subscriber reputation with Executive Summary or reporting.

a. For 2G/3G/4G mobile networks, subscriber ID = MSISDN – using SGSN, GGSN & HLR.
i. An MSISDN is the number associated with a SIM card
ii. Usually stored in Calling-Station-Id RADIUS attribute

b. For ADSL networks, subscriber ID = ADSL modem login – using the DSLAM & HLR
i. The login ID uniquely identifies the ADSL connection
ii. Usually stored in User-Name RADIUS attribute

We are hoping the SPLUNK Enterprise and Telecommunication App would have capability to retrieve the Calling-Station-Id and the Framed-IP-Address attributes from the START accounting record to update its local (SQL)table - as displayed by the RADIUS capture Attached:

For 2G/3G/4G/5Gsubscribers, the RADIUS server natively uses the Calling-Station-Id to store the subscriber ID (= the MSISDN number).

Then an AntiSpam solution can be configured to block the Outbound SPAM emails then share this blocked detection logs with DDEI via Syslog.

There's expected to be a concise correlation and reporting from the SIEM on the following. Detection by IP - MSISDN - Number of Spam detection - Sender Email ID - Recipient Email ID - Timestamp of Last event. There should be capability to drill down or further on this as well.

kindly advise or guide if this splunk App inherently has such capability explained above.

Regards,
Lionel

0 Karma

anortrup_splunk
Splunk Employee
Splunk Employee

For clarity, this question does not pertain to Splunk Investigate.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...