Successful Logon from Outside My Country

ishak · ‎10-07-2024

Hello everyone,

i am working as a security analytics , i am working in a big company with more than 3000 users.

i have an issue with FortiSIEM , i am receiving a lot of incident related to Successful Logon From Outside My Country hundred of incidents daily .

i need to create a role to baseline the countries based on the Geolocation

anyone can help me to do the same.

Thank you

Ishak

Secusaurus · ‎10-07-2024

Hello @ishak,

Best practice would be to add the countries to "My Home" in the "Country Groups" (Resources), so no rule change is required.

If this is not possible (e.g. your employees travel a lot worldwide or you use a multi-tenant deployment with multiple requirements), you would need to edit (duplicate) the rule and make sure it ignores countries only for specific event types. If you cannot differentiate in the rule specification, disabling it completely would make more sense.

If you like to create something new from scratch, either have a look at the ML features or have a deeper look into the Fortinet Training "FCSS Security Operations", where different aspects of baseline rules are explained.

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

ishak · ‎10-07-2024

Will check it , Thank you

Ishak

Successful Logon from Outside My Country

Nominate a Forum Post for Knowledge Article Creation