Unauthorized Foreign Activity

layout=edit | geoip clientip as clientip | table _time clientip client_country | where client_country NOT ("Germany" OR "Austria" OR "Switzerland")

purpose:

Detect unauthorized admin activity via foreign country

requirements:

Logs with external source IP's

comments:

  • Search for admin activity – like on my webpage in a CMS system for example for "layout=edit"
  • Display all the IP's with table clientip _time
  • Enrich them with geoip lookup (geoip clientip)
  • Display all changes with geo information:
    • layout=edit | lookup geoip clientip as clientip | table _time clientip client_country
  • Review them and create a simple whitelists | where client_country NOT ("Germany" OR "Austria" OR "Switzerland")