Hello Team,
Today we faced an issue, where an alert for Impossible Travel Sucessfull was triggered where the country of thoses IPs are the same.
The below is the rule
Greetings Aravind,
Can you provide some relevant logs/detections for the issue your having? Your logic looks good and I ran your logic in a demo environment and I am not seeing any issue.
Also, as a note: Please consider using a state aswell as a country as a conditions so that you don't miss security relevant user logons in larger countries like the United States. Additionally, consider using $.principal.ip_geo_artifact.location.country_or_region over $.principal.location.country_or_region since the ladder is source based and may not have accurate location data.
Please see the new logic below:
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |