GeoLogonalyzer: analyze remote access logs for anomalies
GeoLogonalyzer is a utility to perform location and metadata lookups on source IP addresses of remote access logs. This analysis can identify anomalies based on the speed of required travel, distance, hostname changes, ASN changes, VPN client changes, etc.
GeoLogonalyzer extracts and processes changes in logon characteristics to reduce analysis requirements. For example, if a user logs on 500 times from 1.1.1.1 and then 1 time from 2.2.2.2, GeoLogonalyzer will create one line of output that shows information related to the change such as:
- Detected anomalies
- Data Center Hosting information identified
- Location information
- ASN information
- Time and distance metrics
Analysis Tips
- Unless otherwise configured (as described above), RFC1918 and other reserved IP addresses are assigned a geolocation of (0,0) which is located in the Atlantic Ocean near Africa which will skew results. a. Use the –skip_rfc1918 command line parameter to completely skip any reserved source IP address such as RFC1918. This is useful to reduce false positives if your data includes connections from internal networks such as 10.10.10.10 or 192.168.1.100.
- Use the Automatic Anomaly Detection flags listed below to quickly identify anomalies. Examples include changes in logons that: a. require an infeasible rate of travel (FAST) b. involve a large change in distance (DISTANCE) c. involve a source IP address registered to a data center hosting providers such as Digital Ocean or AWS (DCH) d. changes in ASN (ASN), VPN client name (CLIENT), or source system hostname (HOSTNAME)
- Look for IP addresses registered to unexpected countries.
- Analyze the “Streak” count to develop a pattern of logon behavior from a source IP address before a change occurs.
- Analyze all hostnames to ensure they match standard naming conventions.
- Analyze all software client names to identify unapproved software.
Automatic Anomaly Detection
GeoLogonalyzer will try to automatically flag on the following anomalies:
| Flag | Description |
|---|---|
| DISTANCE | This flag indicates the distance between the two compared source IP addresses exceeded the configured FAR_DISTANCE constant. This is 500 miles by default. |
| FAST | This flag indicates the speed required to travel between the two compared source IP addresses in the time between the two compared authentications exceeded the configured IMPOSSIBLE_MPH constant. This is 500 MPH by default. Estimate source: https://www.flightdeckfriend.com/how-fast-do-commercial-aeroplanes-fly |
| DCH | This flag indicates that one of the compared IP Addresses is registered to a datacenter hosting provider. |
| ASN | This flag indicates the ASN of the two compared source IP addresses was not identical. Filtering out source IP address changes _that do not have this flag_ may cut down on legitimate logons from nearby locations to review. |
| CLIENT | If VPN client information is processed by GeoLogonalyzer, this flag indicates a change in VPN client name between the two compared authentications. This can help identify use of unapproved VPN client software. |
| HOSTNAME | If hostname information is processed by GeoLogonalyzer, this flag indicates a change in hostname between the two compared authentications. This can help identify use of unapproved systems connecting to your remote access solution. |
Copyright <C> 2018 FireEye
