Multi Country Authentication Alert

Hello guys,

we are getting a lot of multi country authentication alerts in our environment. I have a question about a possible exception that can be used to close this incident:

  • Exception: “Ignore multiple country authentications from these countries for this user”

Let’s say somebody logged in from France and Belgium and I use this exception:

  • Will I still receive an alert when this user logged in from Belgium and Italy or will
    it ignore all multiple country authentications alerts that involve Belgium or France?

I’m also wondering about how others handle these alerts. I was thinking about having a workflow which checks the involved IPs against VirusTotal and then immediately close the incident if the IP is not suspicious.

Hey @Ge72w108,

To answer your question, if you make an alert modification for that user for authing from Belgium and France, then it will fire off for any other variations as long as they don’t include Belgium and then France:

Belgium and France Auths = no alert
Belgium and Italy = alert
Italy and France = alert

Depending on your organization’s needs and global footprint, there are multiple ways of handling these alerts:

Create modifications and allow countries that you have an active presence in so that only the non-approved countries fire off alerts (not a big fan of whitelisting so I won’t say this is or isn’t best practice as if an account is compromised within a country you have a user in, then it can go unnoticed)

Set Multi-country alerts to notable behavior in UBA and create a custom alert for any country that isn’t approved (MDR customers work with the SOC to do things like this for non-approved countries, but again alert modifications can create blindspots)

I would also recommend you setup the automation for enriching data which will help add visibility and information to alerts with IP info.