I was thinking of using a Rapid7 playbook for one of our cases, we get a lot of multi country logins and to counter alert fatigue I was looking into building my own playbook.
One of the problems I have is when an employee is in one of the neighboring countries, we don’t want to treat that as threat an include that in a whitelist but the problem that I than face is what if a hacker is using a proxy from one of the neighboring countries? Is there a way to include that in the workflow?
1 Like
We have set the multi country logins as “track notable events”, because multi country logins are never (in our experience) the sole indicator of compromise.
If you still want to have this on, using a proxy gateway security solution like Zscaler or Cloudflare, makes sense. Also it gives you an additional layer of protection.
1 Like