Splunk Geostats: Because Where in the World Is It?

Splunk Geolocation

Splunk has many compelling features. For me, the most advantageous features are often the built-in capabilities that allow users to make use of the data being fed into Splunk. A long-time favorite has been Splunk’s data visualization modules, specifically, geostats. Geostats can give data sets value by giving them global, national, and local level perspectives. Let's take a look at how to put this visualizer to use.

My first idea, to utilize this visualizer, was to map out the geographic location of where possible “cyber attacks” (as noted by IDS/SEIM) are potentially coming from. This was done using the following search:

(Note: the source and destination IP depend on the type of IDS event your system might be using. For the purpose of this demonstration, we are going to assume via a tag that we only have IDS events where the “Source IP” is the “offending” IP address).

<search to call IDS data> | iplocation “Source IP” | geostats latfield=lat longfield=lon count by Signature globallimit=0

It’s recommended to refine the initial data set to show only attacks known from a specific threat actor, or a specific type of (unique) attack. This will help determine if there was a pattern in the exit nodes your adversary may be attacking you from, and therefore be more useful to an intelligence team.

Another use of the geostats visualizer is to keep an eye on failed services or systems. This will include something like a number of Point of Sales (POS) systems that are no longer ‘checking in’, or perhaps a list of ‘failed connections’ from a calling service you provide. Again, this is another way to look for anomalous occurrences.

For this example, I created a CSV containing three distinctive locations. I created this through the iplocation mapping again. If the locations are not mobile (like a store), I would recommend having a static geographical address assigned to that data’s location instead of, or in addition to, a global IP address.

In this example, I assumed that you are a supermarket retailer with three similar size locations. At this time of day, having more than 15 POS systems not “checking in” could be indicating something is wrong with the networking in that area. To visualize this, I processed the data with the follow search:

| iplocation "Source IP" | geostats latfield=lat longfield=lon count as TOTAL | eval redCount = if(TOTAL >=15, TOTAL, 0) | eval greenCount = if(TOTAL <15, TOTAL,0) | fields - TOTAL

The first step was to plot my data on the geomap.

| geostats latfield=lat longfield=lon count as TOTAL

With the data plotted, I created a range map with descriptive names I wanted to use as my colors.

| eval redCount = if(TOTAL >=15, TOTAL, 0) | eval greenCount = if(TOTAL <15, TOTAL,0)

Then finally I removed the TOTAL field

| fields - TOTAL

Now, to bring these colors to life, I saved my search to a dashboard and went into splunk’s XML source editor and added the following line:

<option name="mapping.fieldColors">{greenCount:0x00b200,redCount:0xfb0000}</option>

With not much effort, Splunk now presents us with an excellent map showing where a networking problem might be brewing at our store in the Detroit area.

These two explain just the tip of the iceberg of what one can achieve with Splunk’s visualization capabilities. For more information on geostats, check out Splunk’s official documentation.