Splunk Search

How to set up an alert for VPN user who connects from a different city and country?

New Member

am new to Splunk and have a very basic search that give output as below for vpn users..

User    Group   ASA_Device  int_ip  ext_ip  City             Country    time    count
user1   rsa  asa1         x.x.x.x   x.x.x.x Ottawa       Canada  x:x:x  1
user2   cert    asa2          x.x.x.x   x.x.x.x Delhi         India   x:x:x 2
user1   rsa  asa1         x.x.x.x   x.x.x.x Mexico City Mexico   x:x:x  1

I want to set up an alert if user1 or any user connect from different city and country than its usual location.

Tags (4)
0 Karma

SplunkTrust
SplunkTrust

First of all, a comment that Geo-IP is sometimes notoriously inaccurate when you consider real-life things like cellular connections and roaming and so forth. You also need to make sure that you keep your GeoIP database up to date. (See http://www.georgestarcher.com/splunk-updating-the-geoip-database/) But, if we ignore these issues ...

The key here is how you define (and store) "usual". What you don't want to have to do is run searches over a large time interval to define a user's pattern of normalcy - so we should save some state in a lookup file. You might define usual as the single most-frequently used, or possibly the top over the past XX days. But, however you define normal the goal is to make a scheduled search that builds and maintains a lookup file defining normalcy.

One example of using a lookup for this purpose is here -> https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html and another is in a .conf talk that @starcher and I did in .conf 2015. See:

http://conf.splunk.com/session/2015/recordings/2015-splunk-38.mp4
http://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf

0 Karma