Hi Tom -
> If the login points are geographic outliers, then:
> - Check if there is more than two distinct IP addresses that the person
has used; and
> - If there are more than two distinct IP addresses, increase the score.
I believe you could do something like the following. This would touch
Enrichments, the Profiler, and Threat Triage.
*(I) Enrichments*
We need to create some enrichments that define what a geographic outlier is
and assigns a username to each IP address.
1. Create an enrichment that marks geographic outliers. For example,
geo_outlier = true.
2. Create an enrichment that assigns a username. For example, username =
tyerex.
After Enrichment, you have some telemetry that looks something like this.
{
"source.type": "toms-ip-feed",
"ip_addr": "a.b.c.d",
"geo_outlier": "true",
"username": "tyerex",
..
}
*(II) Profiler*
Create a Profile that counts the number of distinct IP addresses for each
user. Here we can use the Profiler along with a data sketch, specifically
HLLP. This kind of discount count is similar to Example 3 in the
documentation
<https://metron.apache.org/current-book/metron-analytics/metron-profiler-common/index.html#Examples>
[1].
{
"profile": "disinct-ip-by-user",
"onlyif": "source.type == 'toms-ip-feed' and geo_outlier == true",
"foreach": "username",
"update": {
"ips": "HLLP_ADD(ips, ip_addr)"
},
"result": {
"triage": {
"ip_count": "HLLP_CARDINALITY(ips)",
}
}
We are going to use the "triage" functionality so that the output of the
Profiler goes to Threat Triage. The Profiler will produce a message that
is sent to the 'enrichments' topic and thus Enrichment and Threat Triage.
The message coming out of the Profiler will look something like this.
{
"ip_count": "7",
"source.type": "profiler",
"profile": "disinct-ip-by-user",
"entity": "tyerex",
"period": 1234456,
"period.start": 1426349294842,
"period.end": 1426350194842,
"timestamp": 1426350199232,
"is_alert": true
}
*(III) Threat Triage*
Now create a set of threat triage rules that score this new source of
telemetry coming from the Profiler. The 'entity' field will contain the
username and the 'ip_count' field will contain the distinct count of IP
addresses for each user.
Hope this helps spark some ideas about how you might implement your use
case.
[1]
https://metron.apache.org/current-book/metron-analytics/metron-profiler-common/index.html#Examples
On Wed, Jan 15, 2020 at 5:39 PM Yerex, Tom <[email protected]> wrote:
> Good afternoon,
>
> We are working on enhancements from the geographic login outliers
> from hxxps://
> metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html
> .
>
> The original solution works very well, thank you to those who put in the
> work creating documentation, developing Stellar, and of course Metron. A
> common scenario that frustrates us is when someone uses a VPN service. The
> use of VPN services is common to certain geographic regions and this type
> of activity usually shows up as someone connecting from two diverse
> geographic locations using the same two IP addresses (one for home and the
> other using a VPN).
>
> I would like to enhance the original example with something that roughly
> does this:
>
> If the login points are geographic outliers, then:
> - Check if there is more than two distinct IP addresses that the person
> has used; and
> - If there are more than two distinct IP addresses, increase the score.
>
>
> The idea is to adjust the score based on the number of IP address access
> points so we prioritize our focus on someone using 20 different IP
> addresses rather than someone only using two.
>
> If someone has another approach, I would appreciate any guidance. For now,
> I'm digging into Stellar syntax to see if we can figure out a solution
> there.
>
> Thank you,
>
> Tom.
>
>
