Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following search parameters, but feel free to modify based on any log source you’d like to validate authentication probability for.Use Case:

Use Case: A user logs in from Canada at 1300 and the same user authenticates from another country at 1305. This is typically indicative of a hijacked session, leaked credentials, etc.

Share This:

Leave A Comment?