I am posting this as a question, but I have already gotten the answer for myself. I just want others to be able to find this solution themselves.
Using the search given in bbosearch for "Auth Anomalies over time window":
tag=authentication action=success
| iplocation src
| eval date=strftime(epoch, "%Y-%m-%d %H:%M:%S")
| eval short_lon=round(lon, 2)
| eval short_lat=round(lat, 2)
| strcat short_lat "," short_lon as latlon
| transaction user maxspan=12h maxevents=2 mvlist=t mvraw=f delim="|"
| eval first_src=mvindex(src,0)
| eval last_src=mvindex(src,1)
| where first_src!=last_src
| eval first_city=mvindex(City,0)
| eval second_city=mvindex(City,1)
| where first_city!=second_city
| eval first_latlon=mvindex(latlon, 0)
| eval second_latlon=mvindex(latlon, 1)
| haversine originField=first_latlon second_latlon units=mil
| eval rate_mps = distance/duration
| eval rate_mph = rate_mps * 3600
| eval distance=round(distance, 2)
| rename distance as "Distance (Miles)"
| eval tdm=duration/60
| eval tdm=round(tdm, 2)
| rename tdm as "Time Difference (Minutes)"
| rename rate_mph as "Speed (MPH)"
| makemv delim="|" src
| mvexpand src
| rename src as clientip
| fields user clientip latlon "Speed (MPH)"
| search "Speed (MPH)" > 500
| iplocation clientip
| makemv delim="|" user
| eval username=mvindex(user,0)
| geostats count by username
You can view the events from this which will give you what you are looking for, but you will not be able to map it. If you are only trying to map these, then you can use:
tag=authentication action=success
| iplocation src
| eval date=strftime(epoch, "%Y-%m-%d %H:%M:%S")
| eval short_lon=round(lon, 2)
| eval short_lat=round(lat, 2)
| strcat short_lat "," short_lon as latlon
| transaction user maxspan=12h maxevents=2 mvlist=t mvraw=f delim="|"
| eval first_src=mvindex(src,0)
| eval last_src=mvindex(src,1)
| where first_src!=last_src
| eval first_city=mvindex(City,0)
| eval second_city=mvindex(City,1)
| where first_city!=second_city
| eval first_latlon=mvindex(latlon, 0)
| eval second_latlon=mvindex(latlon, 1)
| haversine originField=first_latlon second_latlon units=mil
| eval rate_mps = distance/duration
| eval rate_mph = rate_mps * 3600
| eval distance=round(distance, 2)
| rename distance as "Distance (Miles)"
| eval tdm=duration/60
| eval tdm=round(tdm, 2)
| rename tdm as "Time Difference (Minutes)"
| rename rate_mph as "Speed (MPH)"
| mvexpand src
| rename src as clientip
| fields user clientip latlon "Speed (MPH)"
| search "Speed (MPH)" > 500
| eval username=mvindex(user,0)
| iplocation clientip
| geostats count by username globallimit=0
If you want to actually view the results with the missle map visualization, then use this:
tag=authentication action=success
| iplocation src
| eval date=strftime(epoch, "%Y-%m-%d %H:%M:%S")
| eval short_lon=round(lon, 2)
| eval short_lat=round(lat, 2)
| strcat short_lat "," short_lon as latlon
| transaction user maxspan=12h maxevents=2 mvlist=t mvraw=f delim="|"
| eval first_src=mvindex(src,0)
| eval last_src=mvindex(src,1)
| where first_src!=last_src
| eval first_city=mvindex(City,0)
| eval second_city=mvindex(City,1)
| where first_city!=second_city
| eval first_latlon=mvindex(latlon, 0)
| eval second_latlon=mvindex(latlon, 1)
| haversine originField=first_latlon second_latlon units=mil
| eval rate_mps = distance/duration
| eval rate_mph = rate_mps * 3600
| eval distance=round(distance, 2)
| rename distance as "Distance (Miles)"
| eval tdm=duration/60
| eval tdm=round(tdm, 2)
| rename tdm as "Time Difference (Minutes)"
| rename rate_mph as "Speed (MPH)"
| mvexpand src
| rename src as clientip
| fields user clientip latlon "Speed (MPH)"
| search "Speed (MPH)" > 500
| eval username=mvindex(user,0)
| eval latlon1=mvindex(latlon,0)
| eval latlon2=mvindex(latlon,1)
| makemv delim="," latlon1
| makemv delim="," latlon2
| eval start_lat=mvindex(latlon1,0)
| eval start_lon=mvindex(latlon1,1)
| eval end_lat=mvindex(latlon2,0)
| eval end_lon=mvindex(latlon2,1)
| table _time username start_lat start_lon end_lat end_lon
I hope that this helps anyone else out there who was having the same issue I was. There may be an easier way to fix this, but this is what I have found to work. If you know of an easier or better way, please leave it below as an answer.
↧