we are getting a lot of multi country authentication alerts in our environment. I have a question about a possible exception that can be used to close this incident:
Exception: “Ignore multiple country authentications from these countries for this user”
Let’s say somebody logged in from France and Belgium and I use this exception:
Will I still receive an alert when this user logged in from Belgium and Italy or will
it ignore all multiple country authentications alerts that involve Belgium or France?
I’m also wondering about how others handle these alerts. I was thinking about having a workflow which checks the involved IPs against VirusTotal and then immediately close the incident if the IP is not suspicious.
To answer your question, if you make an alert modification for that user for authing from Belgium and France, then it will fire off for any other variations as long as they don’t include Belgium and then France:
Belgium and France Auths = no alert
Belgium and Italy = alert
Italy and France = alert
Depending on your organization’s needs and global footprint, there are multiple ways of handling these alerts:
Create modifications and allow countries that you have an active presence in so that only the non-approved countries fire off alerts (not a big fan of whitelisting so I won’t say this is or isn’t best practice as if an account is compromised within a country you have a user in, then it can go unnoticed)
Set Multi-country alerts to notable behavior in UBA and create a custom alert for any country that isn’t approved (MDR customers work with the SOC to do things like this for non-approved countries, but again alert modifications can create blindspots)
I would also recommend you setup the automation for enriching data which will help add visibility and information to alerts with IP info.
Depending on how many contractors we are talking about, you could add them as values for a variable of your own creation, then add a single exception for the variable, then all you need to manage is that variable. https://docs.rapid7.com/insightidr/use-variables-in-queries
edit: What I’m referring to is NOT the UBA alert for Multi-country, but if you created a Custom ABA detection which works with the Exceptions and Variables.
We have had an alert modification for Multiple country for Netherlands and Belgium at a customer. There is a user that has been traveling between Netherlands and Germany for over a year now. This started creating investigations this month. we went from 3 in a month to 39 investigations till now.
My theory was that this was because of the change from “Netherlands” to “The Netherlands” in the logs but that does not comply with the explanation given by Stephen in July '22 because Germany had no Alert Modification.
We have conducted a test within our own InsightIDR environment. We had no Alert Modifications for countries in our own environment to begin with. These are the steps we have taken:
I authenticated to Office365 using a NordVPN from Brazil.
We got a Multple Country investigation
we closed and modified that investigation, allowing The Netherlands and Brazil for all users.
My coworker signed in from Luxembourg using NordVPN.
No investigation for Mult. Country, but we did get a NordVPN suspicious authentication with a notable behaviour on first signin from Luxembourg.
We removed the Alert Modification for The Netherlands.
My coworker signed in from Luxembourg again.
Now we get a Multiple Country investigation.
So it really looks like it is not working like intended.