I don't understand the PH_USER_MON_SUDDEN_LOC_CHANGE

Ricardo_forigua · ‎03-04-2024

Hi, I would like to understand how the "Sudden User Location Change" alert works since sometimes I see that only 1 event generates the alert, and when making a query with the "PH_USER_MON_SUDDEN_LOC_CHANGE" no information is obtained

PartBhat · ‎03-04-2024

It works as follows:

For certain login events, we monitor the longitude and latitude of the source IP address. If the distance between two geo positions from successive logons to the same server is greater than the travel time between the two locations, then PH_USER_MON_SUDDEN_LOC_CHANGE is generated. The event has two IP addresses, time between logons.

Details: FortiSIEM Identity and Location Module keeps track of (Source IP, Longitude, Latitude, User, Last Seen Time). For every new Identity and Location event (https://help.fortinet.com/fsiem/7-1-3/Online-Help/HTML5_Help/Dashboard-identity-location.htm), the Haversine distance (https://en.wikipedia.org/wiki/Haversine_formula) between the new and existing Longitude and Latitudes is calculated. Then the speed required to attain this distance is calculated by dividing the Haversine distance by the elapsed time between current event and event stored inIdentity and Location module. If this value exceeds 575 miles/hour, which is a reasonable limit on commercial jetlines), then the event is generated.

This event indicates that the specific user credential is likely shared or stolen, which can be a security violation.

Ricardo_forigua · ‎03-05-2024

I understand the logic with which the rule works, but according to what I have analyzed this does not really work, sometimes a single source IP address generates the "Sudden User Location Change" alert, the events do not show a geolocation change.

I think the condition should only be greater than 1 and not greater than or equal to.