I've been investigating why I started to not receive ES events for some time now. After upgrading ES, I had to reinstall a lot of the apps that were previously installed & configured. One of the things I have not been able to resolve is how to get ES to detect "Geographically Improbable Access Detected" again.
My Authentication Datamodel is receiving events again.
My asset_lookup_by_str has events
However, my asset_lookup_by_cidr does not return results. So I believe this may be causing it.
How can I get the asset_lookup_by_cidr to populate again?
Just an update in case anyone in the future has this problem.
I had pull a list of all assets with CIDR information, and then create a lookup for CIDR.
I also populated the data with city, country, lat, long. That seemed to fix it!
Just an update in case anyone in the future has this problem.
I had pull a list of all assets with CIDR information, and then create a lookup for CIDR.
I also populated the data with city, country, lat, long. That seemed to fix it!