Can anyone try to explain the logic behind "Geographically Improbable Access Detected"query which is listed below.
summariesonlyvalues(Authentication.app) as app, latest(Authentication.user_bunit) as user_bunit from datamodel=Authentication.Authentication by Authentication.user,Authentication.src _time span=1s |
drop_dm_object_name("Authentication")| eventstats dc(src) as src_count by user | search src_count>1 | sort 0 + _time|
get_asset(src)| iplocation src | eval session_lat=if(isnull(src_lat), lat, src_lat) | eval session_lon=if(isnull(src_long), lon, src_long) | eval session_city=if(isnull(src_city), City, src_city) | where isnotnull(session_lat) and isnotnull(session_lon) | sort 0 + _time | streamstats current=t window=2 earliest(session_lat) as prev_lat, earliest(session_lon) as prev_lon, earliest(session_city) as prev_city, earliest(_time) as prev_time, earliest(src) as prev_src, latest(user_bunit) as user_bunit by user | where (src!=prev_src) |
globedistance(session_lat,session_lon,prev_lat,prev_lon,"m")| eval time_diff=if((_time-prev_time)==0, 1, _time - prev_time) | eval speed = round(distance*3600/time_diff,2)| where speed>500
That search takes a look at where folks are logging in from. If there is one person logging in from two places over that time period, it calculates the distance between the two locations and using that and the time difference between the two logins, calculates the speed that would have been necessary for you to have legitimately done so. If that speed was greater than 500 mph, then it'll return those events as suspicious.
Assume I log in from home at 10:00 AM. I log out right away because I have to make an emergency run to Starbucks. I go to my nearest Starbucks 90 miles away and it log in there at 11:30 AM. We now have two records for me logging in, ~90 miles apart and ~90 minutes apart. That's a speed of 60 miles per hour (1 mile per minute), which is totally OK.
Let's say instead I log in at 10:00 AM but decide Starbucks is too far away, I'll just make my own coffee for 10% the cost. But unknown to me, some hacker in China logs into my account at 11:30 AM. My location to China is far. Very far. Let's call it 10,000 miles. So to have gone from my location to china, I would have had to travel at - well, something like an AVERAGE of 6,667 mph. I don't know about you, but I don't know where I'd even get a plane ticket for that, let alone get through security in less than an hour and a half. So that event would pop out of the end of this because it exceeds the set limit of 500 mph (right at the end of it).
Does that make sense now?
A quick explanation of the stuff inside the search.
| tstats ... finds your data. the
| drop_dm_object_name... just makes the field names more readable, converting
Authentication.user into just plain old
| eventstats ... command is finding a distinct count
dc of sources by user so that it can
| search src_count>1 to find only those people who had multiple logins. (If you only had one login you didn't travel).
| sort ... which is self explanatory. Then we
| get_asset ... information to find out names of the system if one exists.
Next we get into the meat of the thing. The
| iplocation src and the following several
|eval ... statements use a lookup to find out where the IP comes from then cleans up some of the returned information.
There's a little more cleanup with the
| where ... and
|sort ... then we do a
| streamstats ... to take a moving window of two logins by user so we have a list of "previous login" and "current login" to compare with.
| where ... pulls out only those record pairs where the previous and current login locations are actually different.
Now the other meaty part. Since we now have a record with a latitude and longitude of both the old login and the new login, we use a command called
globedistance to determine how many miles apart they are, then a simple
eval to determine how much time was between them.
And with that, it's just a couple of quick calculations to figure out how fast they must have been traveling and to finally pull out those records where the speed was higher than some predetermined threshold.
Anyone having idea about source and destination fields in this alert. I want to tune this for our environment since when any user connects through VPN or RDP I am getting this alert.
Below is the source from which is being used.
source="Access - Geographically Improbable Access - Summary Gen"
If anyone has tuned this for their environment please let me know?
Please repost as a new question - you'll get better answers than you would from resurrecting this two year old thread.
Also, when you do the above, please include more information - "Has anyone tuned this for their environment" is possibly going to get you a "yes" answer without other detail. 🙂
For instance, how would you WANT to tune it? VPNs and RDP are exactly things that make it look like the person traveled faster than lightspeed. Would you expect the Russian hacker to only VPN in after he's waited a suitable amount of time?
Anyway, ask all that in a new question!
For now I'm going to convert your Answer here into a comment, so you can refer to it again but so it doesn't confuse people who stumble on this answer.
Sorry, I should have noticed this earlier.
You'll get better responses if you post this as a new question. Also please include a bit more detail - what do you mean by "I am not able to use this" - Does it error, does it just not give sensible results, does it have a macro that's no longer defined... ? And what do you mean by "latest version of Splunk?" I'm looking at this in July wondering "What was the current version at the end of February..."
But no worries! I'm going to move this to a comment since it's not really an Answer...
Does the globedistance command still exist? I'm running version 5.1.0 of ES and when I try running the Geo Improbable Access rule I get an error that the globedistance command does not exist. This worked in earlier versions of ES.