This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

remote login analysis using IP addresses - unreliable?

Posted on 02-27-2024 09:49 AM
Chris_B
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

@Marie_Chudolij  YouTube video 2-27-24 - Chronicle SOAR to the Rescue: Orchestrate SIEM Reference List Updates for Improved Threat Detection

I suggest IP addresses and info inferred from IP address can be unreliable for remote login analysis as:

- the geo location is not 100% reliable per se
- logins via VPNs with changing IPs
- logins via cloud resources (why is Joe from Chicago coming in from Council Bluffs, IA every few minutes?)


In future sessions I'm interested in more behavior based analysis to look for bad remote logins.

I enjoyed the YouTube video - thx for your work

0 1 341
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hi Chris - 

I think a couple things pop in my head here.  I dont disagree about the IP addresses not painting the whole picture.   There's options that we can include with that specific IP,  including GEO Info plus username, plus the time frames of these logins, etc.  to understand what normal behavior is for Joe.   IP alone certainly isn't going to give us a ton a lot to go after.   

We have released the new UEBA capabilities within Chronicle in Enterprise and Enterprise plus editions.   Plus there's some new yara-l language to help with these kinds of issues.  

https://cloud.google.com/chronicle/docs/detection/metrics-functions#function_parameters

Check it out! Have a good night! 

 

 

 

Top Solution Authors
View all