How to track impossible travel events for users wh...

drathbo · ‎02-08-2023

Good afternoon,

I'm looking for a way to track impossible travel events for users who are logging in to applications using Duo 2fa. Basically if a user gets a duo push from an IP, lets say in America, then another duo event in France within a short time period, this would be an event we want to investigate. Is it possible to do this using splunk queries?

richgalloway · ‎02-08-2023

There are examples of that query in the Splunk Security Examples app. None of them fit your exact scenario, but they should be adaptable to your environment.

---
If this reply helps you, Karma would be appreciated.

drathbo · ‎02-13-2023

Thanks for the answer. What is the Splunk Security Examples app? I logged into my splunk instance and didn't see an app with that name. Thanks again!

richgalloway · ‎02-13-2023

if you don't see the SSE app on your instance then it will have to be installed from splunkbase (https://splunkbase.splunk.com/app/3435).

---
If this reply helps you, Karma would be appreciated.

How to track impossible travel events for users who are logging in to applications using Duo 2fa?

lookup

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud