Geographically Improbable Access Detected ES tune...

Splunk_rocks · ‎08-05-2019

Hello,

following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one.
any alternative search we can use ? let me know your thoughts .
TIA

jbillings · ‎06-30-2020

Not sure if this is what you mean by tuning, but here it goes.

Access - Geographically Improbable Access Detected - Rule uses the index=gia_summary, which is populated by the Access - Geographically Improbable Access - Summary Gen. You can add a |search to the end of the original search, and add your exclusions there. Such as | search src!=8.8.8.8 Depends on how wide of an exclusion you need, you may be better off using a lookup table to add exclusions.

Hope this helps.

jawaharas · ‎08-05-2019

The Correlation search 'Access - Geographically Improbable Access - Summary Gen' is the one which is actually generated events into 'gia_summary' index.

If you have to whitelist users, ip addresses, locations etc., you can append on this search.

Logic behind this query can be referred here - https://answers.splunk.com/answers/560188/logic-behind-geographically-improbable-access-dete.html

Splunk_rocks · ‎08-11-2019

Hey I was aware of that answers earlier please dont post again any splunk question here - This is not the answer im expecting.

jawaharas · ‎08-08-2019

@Splunk_rocks
Kindly accept the answer it it helped you, so others can refer it.

Geographically Improbable Access Detected ES tuned

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!