Multi Country Authentications Workflow

Multi Country Authentications for Staff members.

I would like help or advice on how to create a new workflow in InsightConnect using a preconfigured alert in IDR.

The alert in IDR will trigger when a staff members account has been logged into from 2 or more countries within a short period of time. (We currently have staff and students in our AD tree. At the moment, we have an IDR alert for students which just deletes the IDR alert as we don’t want to do anything with these alerts).

what I would like to do is:

When an alert comes in for a STAFF member (using AD authentication), I would like the workflow to trigger, use a templated email then add the staff members name, the IP addresses in the alert and the countries listed in the alert.
Then either automatically send it from a specific email address (a centralised security mailbox) to the staff member or ask for human intervention to check and send the email.

Does anyone have any idea if something like this is possible and how I could go about creating the workflow? I am a complete beginner with this system and have had no formal training so I am winging it!!

Hi @sfallon, thanks for reaching out. Our team is working on providing you a sample workflow that you can use. As a quick answer to your question: yes, this is possible. Off the top of my head, I know that your workflow would need an Insight IDR User Behavior Analytics Alert Trigger. Additionally, you can find the IP addresses with a few plugins from the Insight Platform including IPStack. It is also possible to automatically send the templated email or to instead ask for human intervention by creating a “decision step” and selecting the tab “human” and then configuring the path details from there. We will write back soon with a link to the sample workflow that you can use.

4 Likes

Hi @sfallon thanks again for reaching out and for your patience. We’ve released the sample workflow to the extensions library called “Alert on InsightIDR Multi Country Authentication” linked here.

2 Likes

Hi,
I have these alerts, but some of the IPs involved are known and we use them, for example salesforce, aws,gcp, azure, google.

So I’d get an alert saying the user had logged into multiple countries (UK and the USA), when in reality they are working and using a SaaS tool thats located in the US.

What I’d like to do is be able to resolve the IP, if its a known provider, then change the assignee and close the IDR ticket


Microsoft IP Ranges

Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center (Azure)

Cloudflare IP Ranges

Google
https://www.gstatic.com/ipranges/goog.json
https://www.gstatic.com/ipranges/cloud.json

AWS
https://ip-ranges.amazonaws.com/ip-ranges.json

Salesforce
https://help.salesforce.com/s/articleView?id=000321501&type=1

Sales Force Marketing
https://help.salesforce.com/s/articleView?id=sf.mc_es_ip_addresses_for_inclusion.htm&type=5

CircleCI
https://circleci.com/docs/2.0/ip-ranges/

@phil_pearce You could create a global artifact of known good IP addresses, and have your workflow perform a lookup against that GA and if it finds a match then close the ticket. I did something similar for users on vacation/living abroad when they would trigger these alerts.

Hi, On some of these you have to extract some of these from a webpage, rather than just a file. and sometimes the IP is part of a subnet. Got any ideas on how to get past this?

I will look at it today and see if I can come up with a solution.