Successful Logon from Outside My Country

Forum|Forum|1 year ago
October 7, 2024
1 reply
951 views

Hello everyone,

i am working as a security analytics , i am working in a big company with more than 3000 users.

i have an issue with FortiSIEM , i am receiving a lot of incident related to Successful Logon From Outside My Country hundred of incidents daily .

i need to create a role to baseline the countries based on the Geolocation

anyone can help me to do the same.

Thank you

Secusaurus

Contributor III

Hello @ishak,

Best practice would be to add the countries to "My Home" in the "Country Groups" (Resources), so no rule change is required.

If this is not possible (e.g. your employees travel a lot worldwide or you use a multi-tenant deployment with multiple requirements), you would need to edit (duplicate) the rule and make sure it ignores countries only for specific event types. If you cannot differentiate in the rule specification, disabling it completely would make more sense.

If you like to create something new from scratch, either have a look at the ML features or have a deeper look into the Fortinet Training "FCSS Security Operations", where different aspects of baseline rules are explained.

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner

ishakAuthor

New Member

Will check it , Thank you

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded