I was using a VPN to test geo blocked countries and things. I noticed that after logging in from Australia and then Chile, IDR sent out these alerts about 15 minutes later:
- FIRST INGRESS AUTHENTICATION FROM COUNTRY - First ingress by user@domain.com
- MULTIPLE COUNTRY INGRESS AUTHENTICATIONS - Account user@domain.com authenticated from 2 countries in 56 minutes 43 seconds.
I continued to log in from other countries but didn’t get any more alerts. Is this normal and/or can it be adjusted to alert more? My company is small, single location in the USA so these sorts of alerts are more valuable to us.
Hi @David_Williams , for the First Ingress from country, did you leave the investigation open? Do you see the other occurrences of First Ingress populate in the open investigation?
For the Multi Country auth the same applies, if the investigation is still open and the behavior continues to occur it should be appended to the open Investigation.
Another thing you could do as a compliment to this built in alert, is build a custom alert, to be alerted any time an ingress occurs from a country other than the US. This would be a pattern detection alert, for Ingress Authentication, where the geoip_country is not US, and the result is a SUCCESS.
David
Hey David,
Yes the investigation is still open and it still only shows that I authenticated from 2 countries even though I authenticated from 4, all yesterday.
I get the sense that IDR alerting is kind of spotty as this is not the fist time this has happened.
I will go ahead and create a custom alert and see how all that works.
If you would like to raise a support ticket I can take a closer look
David
Well I do have a ticket open for something similar (email alerts not always sending for account lockouts) so I will append my other issue to that one. Thanks though!
Hey David,
I took a look and I see that the Logins from the other 2 countries were both failed logons only. We would only trigger the first ingress from country for successful logins.
David
Oh ok, thank you. I thought I had signed in from a 3rd country but I guess not. Anyway I set up some additional custom alerts which will help even with failed logins.