Ensign
Ensign
1257 views

Single VPN User logging in from different geographical areas?

Jump to solution


I was wondering how I should approach this interesting rule,

So how would I be able to capture a certain VPN user using his from different geographical areas with in a time frame less than 24 hours?

any ideas!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Fleet Admiral
Fleet Admiral

I prefer the first option - do something like this:

1) Look for the VPN login and make sure you have the external IP address (to do the geo mapping) - add to active list for VPN logins IF they are not all ready on the list

2) If there is an entry on the list, check the time is less than 24 hours and calculate the distance between the two geo locations

3) Generate alert if there is a mismatch and trigger a notification

Maybe 24 hours is a little too much, but I would look for say 4 hours, but take a look at this previous post on Protect - its pretty detailed and be aware of some of the calculations involved:

View solution in original post

0 Likes
5 Replies
Captain
Captain

I would think this will be as simple as creating  rule to look at VPN events for the same user ID where Geo Location is not same.

So add all VPN user ID's and geolocation to an active list on first events then run another rule looking at VPN ID's and cross matching theme with the first active list and if the location is different fire an alert and add them to another list.

Hope this helps.

0 Likes
Fleet Admiral
Fleet Admiral

Hi Anwer,

Its easy task, You want a filter to look  vpn traffic and VPN user/ User ID.Then make a trend using that filter. After that you can make a query like select username, timestamp, geolocation  groupby-user, geo location, timestamp.

Cheers

Gayan

Mr
0 Likes
Fleet Admiral
Fleet Admiral

I prefer the first option - do something like this:

1) Look for the VPN login and make sure you have the external IP address (to do the geo mapping) - add to active list for VPN logins IF they are not all ready on the list

2) If there is an entry on the list, check the time is less than 24 hours and calculate the distance between the two geo locations

3) Generate alert if there is a mismatch and trigger a notification

Maybe 24 hours is a little too much, but I would look for say 4 hours, but take a look at this previous post on Protect - its pretty detailed and be aware of some of the calculations involved:

View solution in original post

0 Likes
Ensign
Ensign

Hi Guys,

Thank you all for your replies,

Paul indeed your way is correct and gave me a solid understanding to fix the issue,

A small exception is that we don't bind a certain user to a certain country so the active list isn't really necessary here since those users travel and log in from different countries from time to time,

The below rule set on an aggregation of 1 match every 24 hours solved the issue.

where device event class Id is the successful login or failed login event class id of the SSL VPN vendor

Unknown.png

0 Likes
Cadet 3rd Class
Cadet 3rd Class

This vpn free will help you in the task

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.