Location of remote workers
Your workforce is fully remote. To ensure network security, you want to report on where your remote workers are located.
Required data
Authentication data, normalized to the Authentication data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
Procedure
Run the following search. You can optimize it by specifying a time range.
| tstats count(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY Authentication.action Authentication.src | rename Authentication.* AS * | iplocation src | where len(Country)>0 AND len(City)>0 | geostats count BY action
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| | tstats count(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY Authentication.action Authentication.src | Search the main and firewall indexes for authentication actions and group the results by action and source. Set prestats to true so the results can be sent to a chart. |
| | rename Authentication.* AS * | Rename the field as shown for readability. |
| | iplocation src | Extract location information from the IP addresses. |
| | where len(Country)>0 AND len(City)>0 | Filter results to those where the values in the country and city fields are greater than one character. |
| | geostats count BY action | Create a map that shows a count of authentication events. |
Next steps
This search produces a map of your users' locations and statistics about how many logins come in from each location. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network.
Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.