Good afternoon,
I'm looking for a way to track impossible travel events for users who are logging in to applications using Duo 2fa. Basically if a user gets a duo push from an IP, lets say in America, then another duo event in France within a short time period, this would be an event we want to investigate. Is it possible to do this using splunk queries?
There are examples of that query in the Splunk Security Examples app. None of them fit your exact scenario, but they should be adaptable to your environment.
Thanks for the answer. What is the Splunk Security Examples app? I logged into my splunk instance and didn't see an app with that name. Thanks again!
if you don't see the SSE app on your instance then it will have to be installed from splunkbase (https://splunkbase.splunk.com/app/3435).