Finding multiple connections from different countries
We're importing our VPN logs into NetWitness and I would like to setup like an alert or report that will trigger when accounts are connecting to VPN from more than one country.
e.g. Two logons for jsmith from Indonesia and France, trigger an alert 'Hey they can't possibly be in two places at once'
What suggestions do you have to accomplish this?
Either of these rules will look for that kind of activity, but focused on source and dest IPs and Hosts, rather than Countries (these also use Context Hub whitelists for easier tuning anf elimination of false positives):
The following uses the exact same logic from those rules, but looks at source and dest Country instead (over 3 minute window or 3 events, whichever occurs first):
SELECT * FROM Event(
AND ec_activity.toLowerCase() IN ('Logon')
AND ec_outcome.toLowerCase() IN ('Success')
AND user_dst IS NOT NULL
AND country_src IS NOT NULL
AND country_dst IS NOT NULL
).std:groupwin(user_dst).win:time_length_batch(180 seconds, 3).std:unique(country_src,country_dst) group by user_dst having count(*) = 3;