Multiple Country Authentications

antmar904 · November 13, 2024, 1:42pm

Hi.
We get a lot of these alerts as users from oversees authenticate via Azure then they log into a web app hosted in the USA.

Is there a place in IDR settings that I can add the external/internet IP address of my hosted apps so IDR can ignore these events and not trigger alerts?

I hope that makes sense.

sgroeneveld · November 13, 2024, 2:18pm

InsightConnect via global artifacts

mblough · November 13, 2024, 2:19pm

For the Multiple Country Authentication, I do not believe so. It is part of the Legacy Detection Rules so until it moves over into the regular detection rule library, I dont think you will be able to without the use of something like InsightConnect

antmar904 · November 13, 2024, 2:39pm

We currently are not using InsightConnect but will be before the end of the year.

antmar904 · November 13, 2024, 2:39pm

Bumer

david_smith1 · November 13, 2024, 4:14pm

We have an option via support request to whitelist entire geoip organizations, so that if you see things like Netskope or Zscaler for instance you can ignore those entirely from Multi country auth events

David

MJ-VMR7 · January 23, 2025, 3:03pm

Hey David - did you end up sending all Zscaler IPs to whitelist? It’s a huge list… we’re running into the same issue and need to add exceptions when IP location contains Zscaler. We cannot since exceptions are not supported in legacy rules.

antmar904 · January 23, 2025, 3:16pm

How can we leverage ICONN to assist with these Authentication type detection rules?

david_smith1 · January 23, 2025, 5:09pm

This requires a support ticket for us to whitelist on your behalf, we simply ignore all geo_ip organizations which are Zscaler. It doesn’t need all of the IPs.

David

david_smith1 · January 23, 2025, 5:10pm

It depends on what your are hoping to achieve, would the option of whitelisting the Zscaler geo_ip_organization be useful? As I mentioned above?

Or what is it the automation you would like to do?

David

MJ-VMR7 · January 23, 2025, 6:20pm

We’re looking to ignore multicountry alerts if the non-US country IP belongs to Zscaler. Therefore track the activity but do not create an alert. We asked Zscaler to create PAC rules to keep all of our traffic in the US when the asset is physically in the US but given our proximity to Canada we seem to still be hitting Zscaler’s Canadian nodes - not for all traffic but regularly. Which then raises alarms/creates investigations in R7. If we could exclude Zscaler Canada IPs from creating investigations, that would help.

david_smith1 · January 23, 2025, 6:33pm

Would allowlisting Zscaler from UBA Ingress alerts entirely work?

That is the option we can easily implement on our side.

David

MJ-VMR7 · January 23, 2025, 7:04pm

For sure - it’s only the Canada datacenters that throw the alerts. A small list of IPs and one FQDN. As long as we can still see the traffic in the logs, excluding these IPs from alerts would be perfect.

Below is the short list of Zscaler Canada/Montreal datacenters:
https://config.zscaler.com/zscaler.net/cenr
165.225.212.0/23
ymq1-vpn.zscaler.net
2605:4300:2700::/40
170.85.146.0/23
170.85.148.0/23

I opened a ticket for this if it’s helpful.

david_smith1 · January 23, 2025, 7:59pm

Yes a ticket would be the way to achieve this, did you say it was already open? If so can you share the case #

David