geoip

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use geoip along with other search commands.

Unauthorized Foreign Activity

layout=edit | geoip clientip as clientip | table _time clientip client_country | where client_country NOT ("Germany" OR "Austria" OR "Switzerland")

purpose:

Detect unauthorized admin activity via foreign country

requirements:

Logs with external source IP's

comments:

  • Search for admin activity – like on my webpage in a CMS system for example for "layout=edit"
  • Display all the IP's with table clientip _time
  • Enrich them with geoip lookup (geoip clientip)
  • Display all changes with geo information:
    • layout=edit | lookup geoip clientip as clientip | table _time clientip client_country
  • Review them and create a simple whitelists | where client_country NOT ("Germany" OR "Austria" OR "Switzerland")