We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud


This search detects logins from the same user from different cities in a 24 hour period.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-07-21
  • Author: Rico Valdez, Splunk
  • ID: 7594fa07-9f34-4d01-81cc-d6af6a5db9e8


ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1078.001 Default Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
`okta` displayMessage="User login to Okta" client.geographicalContext.city!=null 
| stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `okta_user_logins_from_multiple_cities_filter` 
| search locations > 1

Associated Analytic Story

How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

  • _time
  • displayMessage
  • client.geographicalContext.city
  • client.geographicalContext.state
  • user

Kill Chain Phase

Known False Positives

Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should not be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.


Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2