Splunk Enterprise Security
Highlighted

Geographically Improbable Access Detected ES tuned

Path Finder

Hello,

following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one.
any alternative search we can use ? let me know your thoughts .
TIA

0 Karma
Highlighted

Re: Geographically Improbable Access Detected ES tuned

Motivator

The Correlation search 'Access - Geographically Improbable Access - Summary Gen' is the one which is actually generated events into 'gia_summary' index.

If you have to whitelist users, ip addresses, locations etc., you can append on this search.

Logic behind this query can be referred here - https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html

0 Karma
Highlighted

Re: Geographically Improbable Access Detected ES tuned

Motivator

@Splunk_rocks
Kindly accept the answer it it helped you, so others can refer it.

0 Karma
Highlighted

Re: Geographically Improbable Access Detected ES tuned

Path Finder

Hey I was aware of that answers earlier please dont post again any splunk question here - This is not the answer im expecting.

0 Karma
Highlighted

Re: Geographically Improbable Access Detected ES tuned

SplunkTrust
SplunkTrust

Not sure if this is what you mean by tuning, but here it goes.

Access - Geographically Improbable Access Detected - Rule uses the index=gia_summary, which is populated by the Access - Geographically Improbable Access - Summary Gen. You can add a |search to the end of the original search, and add your exclusions there.  Such as | search src!=8.8.8.8  Depends on how wide of an exclusion you need, you may be better off using a lookup table to add exclusions.

Hope this helps.

0 Karma