Geographically Improbable Access Detected ES tune...

Splunk_rocks · ‎08-05-2019

Hello,

following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one.
any alternative search we can use ? let me know your thoughts .
TIA

jbillings · ‎06-30-2020

Not sure if this is what you mean by tuning, but here it goes.

Access - Geographically Improbable Access Detected - Rule uses the index=gia_summary, which is populated by the Access - Geographically Improbable Access - Summary Gen. You can add a |search to the end of the original search, and add your exclusions there. Such as | search src!=8.8.8.8 Depends on how wide of an exclusion you need, you may be better off using a lookup table to add exclusions.

Hope this helps.

jawaharas · ‎08-05-2019

The Correlation search 'Access - Geographically Improbable Access - Summary Gen' is the one which is actually generated events into 'gia_summary' index.

If you have to whitelist users, ip addresses, locations etc., you can append on this search.

Logic behind this query can be referred here - https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html

Splunk_rocks · ‎08-11-2019

Hey I was aware of that answers earlier please dont post again any splunk question here - This is not the answer im expecting.

jawaharas · ‎08-08-2019

@Splunk_rocks
Kindly accept the answer it it helped you, so others can refer it.

Geographically Improbable Access Detected ES tuned

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Geographically Improbable Access Detected ES tuned

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!