following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one.
any alternative search we can use ? let me know your thoughts .
The Correlation search 'Access - Geographically Improbable Access - Summary Gen' is the one which is actually generated events into 'gia_summary' index.
If you have to whitelist users, ip addresses, locations etc., you can append on this search.
Logic behind this query can be referred here - https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html
Hey I was aware of that answers earlier please dont post again any splunk question here - This is not the answer im expecting.
Not sure if this is what you mean by tuning, but here it goes.
Access - Geographically Improbable Access Detected - Rule uses the index=gia_summary, which is populated by the Access - Geographically Improbable Access - Summary Gen. You can add a |search to the end of the original search, and add your exclusions there. Such as | search src!=220.127.116.11 Depends on how wide of an exclusion you need, you may be better off using a lookup table to add exclusions.
Hope this helps.