Skip to main content
Splunk Lantern

Location of remote workers

Your workforce is fully remote. To ensure network security, you want to report on where your remote workers are located.

Required data

Authentication data, normalized to the Authentication data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

Run the following search. You can optimize it by specifying a time range​​​​​​​.

| tstats count(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY Authentication.action Authentication.src
| rename Authentication.* AS * 
| eval src = if(src=="216.113.183.230","142.252.17.31", if(src=="64.147.162.160","71.193.0.238",if(src=="216.129.122.242", "162.245.239.68", src))) 
| iplocation src 
| where len(Country)>0 AND len(City)>0
| geostats count BY action

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY Authentication.action Authentication.src Search the main and firewall indexes for authentication actions and group the results by action and source. Set prestats to true so the results can be sent to a chart.
| rename Authentication.* AS *  Rename the field as shown for readability.
| eval src = if(src=="216.113.183.230","142.252.17.31", if(src=="64.147.162.160","71.193.0.238",if(src=="216.129.122.242", "162.245.239.68", src))) Convert the IP addresses for the matches shown; otherwise, return the source IP address from the dataset.
| iplocation src Extract location information from the IP addresses.
| where len(Country)>0 AND len(City)>0 Filter results to those where the values in the country and city fields are greater than one character.
| geostats count BY action Create a map that shows a count of authentication events.

Next steps

This search produces a map of your users' locations and statistics about how many logins come in from each location. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.