Greetings Aravind,
Can you provide some relevant logs/detections for the issue your having? Your logic looks good and I ran your logic in a demo environment and I am not seeing any issue.
Also, as a note: Please consider using a state aswell as a country as a conditions so that you don't miss security relevant user logons in larger countries like the United States. Additionally, consider using $.principal.ip_geo_artifact.location.country_or_region over $.principal.location.country_or_region since the ladder is source based and may not have accurate location data.
Please see the new logic below:
rule impossible_travel_login_activity {
meta:
subject = "impossible travel login activity"
description = "Detects when the same user account is logged into twice in a short period of time but from two different states and countries. This could indicate a user account credential compromise where an adversary obtains access to an account."
events:
$e.metadata.event_type = "USER_LOGIN"
$e.target.user.userid = $target_user
$e.principal.ip_geo_artifact.location.state != ""
$e.principal.ip_geo_artifact.location.state = $state
$e.principal.ip_geo_artifact.location.country_or_region != ""
$e.principal.ip_geo_artifact.location.country_or_region = $country
$e.security_result.action = "ALLOW"
match:
$target_user over 3h
outcome:
$risk_score = 80
$mitre_attack_tactic = "Initial Access"
condition:
#state > 1 and #country > 1
}
LinkedIn
Twitter
