User Login Geolocation
Unusual patterns of behavior can be valuable factors in assessing security alerts. However, if security tools don’t have all the relevant information, they can miss obvious suspicious patterns, or conversely, catch a huge number of false positives. This can result in frustrating situations, like a security alert being generated every time a user logs in from a different computer than usual.
When a user’s credentials are used to log in to the company’s systems from an IP address that is not associated with their user ID, the login may be flagged by the SIEM. The SIEM can then escalate the alert to D3, where the IP address will be parsed and automatically checked against MaxMind’s GeoIP to pinpoint the location of the IP address. The analyst can then use the IP geolocation to determine if this is an unauthorized login, based on the location of previous logins and if it would be possible for them to have traveled to the new location since their last login. If the incident is deemed malicious, the analyst can trigger a playbook to take action.
Integrating D3 and MaxMind allows for fast and conclusive analysis of unusual behavior. By orchestrating this process through D3, you can also correlate against other valuable data, such as historical logs, threat intelligence, and MITRE ATT&CK techniques for additional context.