This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
anwer.alg
Ensign
Ensign
‎2016-12-13 15:19
1259 views

Single VPN User logging in from different geographical areas?

Jump to solution


I was wondering how I should approach this interesting rule,

So how would I be able to capture a certain VPN user using his from different geographical areas with in a time frame less than 24 hours?

any ideas!

Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
pbrettle
Fleet Admiral
Fleet Admiral
‎2016-12-14 00:10

Jump to solution

I prefer the first option - do something like this:

1) Look for the VPN login and make sure you have the external IP address (to do the geo mapping) - add to active list for VPN logins IF they are not all ready on the list

2) If there is an entry on the list, check the time is less than 24 hours and calculate the distance between the two geo locations

3) Generate alert if there is a mismatch and trigger a notification

Maybe 24 hours is a little too much, but I would look for say 4 hours, but take a look at this previous post on Protect - its pretty detailed and be aware of some of the calculations involved:

View solution in original post

0 Likes
Reply
Report Inappropriate Content
5 Replies
rdhawan
Captain
Captain
‎2016-12-13 15:41

Jump to solution

I would think this will be as simple as creating  rule to look at VPN events for the same user ID where Geo Location is not same.

So add all VPN user ID's and geolocation to an active list on first events then run another rule looking at VPN ID's and cross matching theme with the first active list and if the location is different fire an alert and add them to another list.

Hope this helps.

0 Likes
Reply
Report Inappropriate Content
Gayan
Fleet Admiral
Fleet Admiral
‎2016-12-13 20:34

Jump to solution

Hi Anwer,

Its easy task, You want a filter to look  vpn traffic and VPN user/ User ID.Then make a trend using that filter. After that you can make a query like select username, timestamp, geolocation  groupby-user, geo location, timestamp.

Cheers

Gayan

Mr
0 Likes
Reply
Report Inappropriate Content
pbrettle
Fleet Admiral
Fleet Admiral
‎2016-12-14 00:10

Jump to solution

I prefer the first option - do something like this:

1) Look for the VPN login and make sure you have the external IP address (to do the geo mapping) - add to active list for VPN logins IF they are not all ready on the list

2) If there is an entry on the list, check the time is less than 24 hours and calculate the distance between the two geo locations

3) Generate alert if there is a mismatch and trigger a notification

Maybe 24 hours is a little too much, but I would look for say 4 hours, but take a look at this previous post on Protect - its pretty detailed and be aware of some of the calculations involved:

View solution in original post

0 Likes
Reply
Report Inappropriate Content
anwer.alg
Ensign
Ensign
‎2016-12-14 09:25

Jump to solution

Hi Guys,

Thank you all for your replies,

Paul indeed your way is correct and gave me a solid understanding to fix the issue,

A small exception is that we don't bind a certain user to a certain country so the active list isn't really necessary here since those users travel and log in from different countries from time to time,

The below rule set on an aggregation of 1 match every 24 hours solved the issue.

where device event class Id is the successful login or failed login event class id of the SSL VPN vendor

Unknown.png

0 Likes
Reply
Report Inappropriate Content
daphne
Cadet 3rd Class
Cadet 3rd Class
‎2018-04-03 08:21

Jump to solution

This vpn free will help you in the task

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.