Identifying Possible Travel

[Rbartram]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

16G

Storage for /

83G

Storage for /nsm

162G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

I'm currently using the Microsoft 365 integration to collect sign-in logs, and I'm working on detecting "impossible travel" scenarios—cases where a user signs in from two geographically distant locations in a time frame that would make the journey physically implausible.

Using Grok, I've put together a transform that calculates the speed (in miles per hour) a user would have to travel between their two most recent sign-ins.

My question now is: how can I trigger an alert when that calculated speed exceeds 100 MPH?

Here is my transform code for review:

    "id": "ms365_last_ip_comparison_robb",
    "authorization": {
        "roles": [
            "superuser"
        ]
    },
    "version": "10.0.0",
    "create_time": 1751906851210,
    "source": {
        "index": [
            "logs-*"
        ],
        "query": {
            "bool": {
                "filter": [
                    {
                        "exists": {
                            "field": "user.id"
                        }
                    },
                    {
                        "exists": {
                            "field": "source.ip"
                        }
                    },
                    {
                        "term": {
                            "event.action": "UserLoggedIn"
                        }
                    }
                ]
            }
        }
    },
    "dest": {
        "index": "ms365_last_ip_comparison_robb"
    },
    "frequency": "5m",
    "sync": {
        "time": {
            "field": "@timestamp",
            "delay": "300s"
        }
    },
    "pivot": {
        "group_by": {
            "user.id": {
                "terms": {
                    "field": "user.id"
                }
            }
        },
        "aggregations": {
            "compare": {
                "scripted_metric": {
                    "init_script": "\r\n            state.last_ip = null;\r\n            state.last_timestamp = null;\r\n            state.last_timestamp_millis = null;\r\n            state.last_geo_location = null;\r\n            state.last_city_name = null;\r\n            state.last_region_name = null;\r\n            state.last_country_iso_code = null;\r\n            state.last_country_name = null;\r\n            state.previous_ip = null;\r\n            state.previous_timestamp = null;\r\n            state.previous_timestamp_millis = null;\r\n            state.previous_geo_location = null;\r\n            state.previous_city_name = null;\r\n            state.previous_region_name = null;\r\n            state.previous_country_iso_code = null;\r\n            state.previous_country_name = null;\r\n            state.is_different_ip = false;\r\n            state.distance_miles = null;\r\n            state.speed_mph = null;\r\n            state.events = new ArrayList();\r\n            state.debug = new ArrayList();\r\n          ",
                    "map_script": "\r\n            def ip = params._source['source']['ip'];\r\n            def timestamp = params._source['@timestamp'];\r\n            def geo_location = params._source['source']['geo']['location'];\r\n            def city_name = params._source['source']['geo']['city_name'];\r\n            def region_name = params._source['source']['geo']['region_name'];\r\n            def country_iso_code = params._source['source']['geo']['country_iso_code'];\r\n            def country_name = params._source['source']['geo']['country_name'];\r\n            if (timestamp == null) {\r\n              state.debug.add(['error': 'Missing @timestamp', 'ip': ip]);\r\n              return;\r\n            }\r\n            def time_millis = null;\r\n            try {\r\n              time_millis = ZonedDateTime.parse(timestamp).toInstant().toEpochMilli();\r\n            } catch (Exception e) {\r\n              state.debug.add(['error': 'Invalid timestamp: ' + timestamp, 'ip': ip]);\r\n              return;\r\n            }\r\n            def lat = null;\r\n            def lon = null;\r\n            if (geo_location != null && geo_location.containsKey('lat') && geo_location.containsKey('lon')) {\r\n              lat = geo_location['lat'];\r\n              lon = geo_location['lon'];\r\n              if (!(lat instanceof Number) || !(lon instanceof Number)) {\r\n                state.debug.add(['error': 'Invalid geo_location: ' + geo_location, 'ip': ip]);\r\n                lat = null;\r\n                lon = null;\r\n              }\r\n            } else {\r\n              state.debug.add(['error': 'Missing or invalid geo_location', 'ip': ip]);\r\n            }\r\n            if (time_millis != null) {\r\n              def event = ['ip': ip, 'timestamp': timestamp, 'timestamp_millis': time_millis.longValue()];\r\n              if (lat != null && lon != null) {\r\n                event['lat'] = lat.doubleValue();\r\n                event['lon'] = lon.doubleValue();\r\n              }\r\n              if (city_name != null) {\r\n                event['city_name'] = city_name;\r\n              }\r\n              if (region_name != null) {\r\n                event['region_name'] = region_name;\r\n              }\r\n              if (country_iso_code != null) {\r\n                event['country_iso_code'] = country_iso_code;\r\n              }\r\n              if (country_name != null) {\r\n                event['country_name'] = country_name;\r\n              }\r\n              state.events.add(event);\r\n            } else {\r\n              state.debug.add(['error': 'Null timestamp_millis after parsing: ' + timestamp, 'ip': ip]);\r\n            }\r\n          ",
                    "combine_script": "return state",
                    "reduce_script": "\r\n            def final_state = states[0];\r\n            def debug_entries = new ArrayList();\r\n            for (s in states) {\r\n              final_state.events.addAll(s.events);\r\n              debug_entries.addAll(s.debug);\r\n            }\r\n            if (final_state.events.length > 0) {\r\n              final_state.events.sort((a, b) -> {\r\n                long a_millis = a.timestamp_millis instanceof Long ? a.timestamp_millis : a.timestamp_millis.longValue();\r\n                long b_millis = b.timestamp_millis instanceof Long ? b.timestamp_millis : b.timestamp_millis.longValue();\r\n                return b_millis > a_millis ? 1 : (b_millis < a_millis ? -1 : 0);\r\n              });\r\n              final_state.last_ip = final_state.events[0].ip;\r\n              final_state.last_timestamp = final_state.events[0].timestamp;\r\n              final_state.last_timestamp_millis = final_state.events[0].timestamp_millis;\r\n              if (final_state.events[0].containsKey('lat') && final_state.events[0].containsKey('lon')) {\r\n                final_state.last_geo_location = ['lat': final_state.events[0].lat, 'lon': final_state.events[0].lon];\r\n              }\r\n              if (final_state.events[0].containsKey('city_name')) {\r\n                final_state.last_city_name = final_state.events[0].city_name;\r\n              }\r\n              if (final_state.events[0].containsKey('region_name')) {\r\n                final_state.last_region_name = final_state.events[0].region_name;\r\n              }\r\n              if (final_state.events[0].containsKey('country_iso_code')) {\r\n                final_state.last_country_iso_code = final_state.events[0].country_iso_code;\r\n              }\r\n              if (final_state.events[0].containsKey('country_name')) {\r\n                final_state.last_country_name = final_state.events[0].country_name;\r\n              }\r\n              //debug_entries.add(['event': 'last', 'ip': final_state.last_ip, 'timestamp': final_state.last_timestamp, 'timestamp_millis': final_state.last_timestamp_millis, 'geo_location': final_state.last_geo_location, 'city_name': final_state.last_city_name, 'region_name': final_state.last_region_name, 'country_iso_code': final_state.last_country_iso_code, 'country_name': final_state.last_country_name]);\r\n              for (int i = 1; i < final_state.events.length; i++) {\r\n                if (!final_state.events[i].ip.equals(final_state.last_ip)) {\r\n                  final_state.previous_ip = final_state.events[i].ip;\r\n                  final_state.previous_timestamp = final_state.events[i].timestamp;\r\n                  final_state.previous_timestamp_millis = final_state.events[i].timestamp_millis;\r\n                  if (final_state.events[i].containsKey('lat') && final_state.events[i].containsKey('lon')) {\r\n                    final_state.previous_geo_location = ['lat': final_state.events[i].lat, 'lon': final_state.events[i].lon];\r\n                  }\r\n                  if (final_state.events[i].containsKey('city_name')) {\r\n                    final_state.previous_city_name = final_state.events[i].city_name;\r\n                  }\r\n                  if (final_state.events[i].containsKey('region_name')) {\r\n                    final_state.previous_region_name = final_state.events[i].region_name;\r\n                  }\r\n                  if (final_state.events[i].containsKey('country_iso_code')) {\r\n                    final_state.previous_country_iso_code = final_state.events[i].country_iso_code;\r\n                  }\r\n                  if (final_state.events[i].containsKey('country_name')) {\r\n                    final_state.previous_country_name = final_state.events[i].country_name;\r\n                  }\r\n                  final_state.is_different_ip = true;\r\n                  //debug_entries.add(['event': 'previous', 'ip': final_state.previous_ip, 'timestamp': final_state.previous_timestamp, 'timestamp_millis': final_state.previous_timestamp_millis, 'geo_location': final_state.previous_geo_location, 'city_name': final_state.previous_city_name, 'region_name': final_state.previous_region_name, 'country_iso_code': final_state.previous_country_iso_code, 'country_name': final_state.previous_country_name]);\r\n                  if (final_state.last_geo_location != null && final_state.previous_geo_location != null) {\r\n                    def lat1 = final_state.last_geo_location.lat * Math.PI / 180.0;\r\n                    def lon1 = final_state.last_geo_location.lon * Math.PI / 180.0;\r\n                    def lat2 = final_state.previous_geo_location.lat * Math.PI / 180.0;\r\n                    def lon2 = final_state.previous_geo_location.lon * Math.PI / 180.0;\r\n                    def dlat = lat2 - lat1;\r\n                    def dlon = lon2 - lon1;\r\n                    def a = Math.sin(dlat / 2.0) * Math.sin(dlat / 2.0) + Math.cos(lat1) * Math.cos(lat2) * Math.sin(dlon / 2.0) * Math.sin(dlon / 2.0);\r\n                    def c = 2.0 * Math.atan2(Math.sqrt(a), Math.sqrt(1.0 - a));\r\n                    def R = 3958.8; // Earth radius in miles\r\n                    final_state.distance_miles = Math.round(R * c);\r\n                    def time_diff_hours = Math.abs(final_state.last_timestamp_millis - final_state.previous_timestamp_millis) / (1000.0 * 3600.0);\r\n                    if (time_diff_hours > 0.0) {\r\n                      final_state.speed_mph = Math.round(final_state.distance_miles / time_diff_hours);\r\n                    } else {\r\n                      final_state.speed_mph = null; // Avoid division by zero\r\n                    }\r\n                  }\r\n                  break;\r\n                }\r\n              }\r\n              if (debug_entries.length > 0) {\r\n                debug_entries.sort((a, b) -> {\r\n                  long a_millis = a.timestamp_millis instanceof Long ? a.timestamp_millis : a.timestamp_millis.longValue();\r\n                  long b_millis = b.timestamp_millis instanceof Long ? b.timestamp_millis : b.timestamp_millis.longValue();\r\n                  return b_millis > a_millis ? 1 : (b_millis < a_millis ? -1 : 0);\r\n                });\r\n                while (debug_entries.length > 2) {\r\n                  debug_entries.remove(debug_entries.length - 1);\r\n                }\r\n                final_state.debug = debug_entries;\r\n              }\r\n              final_state['@timestamp'] = final_state.last_timestamp; // Set @timestamp to last_timestamp\r\n            }\r\n            final_state.events = null; // Exclude events from output\r\n            return final_state;\r\n          "
                }
            }
        }
    },
    "description": "Compares the last UserLoggedIn IP with the most recent previous UserLoggedIn IP that is different, calculating rounded distance and speed in miles, including city, region, country data, setting @timestamp to last_timestamp, with debug output limited to the last and previous records, excluding events list",
    "settings": {
    }
}}```

Thank you, ...Rob

### Guidelines

- [X] I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.

[cm-ops]

What does your field look like when this is calculated and what data type is it? Integer/long?