Troubleshooting Tip: Sudden user location change in FortiSIEM

To troubleshoot sudden user location change incidents in FortiSIEM, follow these steps:

1. Check the FortiSIEM version. The current version should be checked to ensure it is up-to-date.
2. Understand the PH_USER_MON_SUDDEN_LOC_CHANGE event. This event is triggered when the system detects a sudden change in the user's location, which could indicate a potential security violation.
3. Review the Identity and Location Dashboard. The Identity and Location Module keeps track of the source IP, longitude, latitude, user, and last seen time. For every new Identity and Location event, the Haversine distance between the new and existing longitude and latitudes is calculated.
4. Check the data source. The data source that may have triggered the rule can be found in /opt/phoenix/config/identityDef.xml. The rule definition that triggers the log can be found in the FortiSIEM documentation: PH RULE USER MON SUDDEN LOC CHANGE.
5. Analyze the log. The log includes information such as the source IP address, longitude, latitude, user, and last seen time. Analyze this information to determine the cause of the Sudden User Location Change incident.