Compare physical presence vs. logins
could you please help me with rule(s), which will be able to catch logins (failed and successful) to active directory, but this person isn't in PC's location?
1) Active list with people, who are in buildings (populated by logs from card management system)
Active list has two event-base fields, Attacker User Name and Device Custom String (both are "key field")
Attacker User Name contains usernames (same as logins usernames)
Device Custom String1 contains physical location (for example Street 1, Street 23, Street 34 etc.)
We're using same Location names for Network ranges in Network model (188.8.131.52/25 is Street 1, 184.108.40.206/24 is Street 23, etc)
So, successful (or failed) login contains Attacker IP, Attacker hostname, Attacker Zone name (eg street 1), etc.
How can i compare this login event with my active list?
Expected results are:
- find logins, where Attacker Zone name != Device Custom String1 (from active list)
- find logins, if usernames aren't in Active list
I tried many, many rules, but i wasn't able to deal with it.
Do you have any suggestions or tips, how to do that?