|
FortiSIEM works with Fortiguard GEODB IP to display the correct Geolocation for an IP. Sometimes, an IP can be shown to be incorrect by the display flag in analytics or due to incorrect GEODB information. These incorrect geolocations may cause rules to trigger erroneously, including:
- 'Concurrent Failed Authentications To Same Account From Multiple Countries'.
- 'Successful VPN Logon From Outside My Country'.
- 'Concurrent Successful VPN Authentications To Same Account From Different Countries'.
Check the Country Home is correctly configured:
Many rules and reports use the My Home CMDB Object as defined in RESOURCES -> Country Groups -> My Home.
By default, this is set to United States of America.
After, check the IP against https://www.fortiguard.com/services/ipge to see if the IP is up to date or if the FortiGuard is lagging behind the other GeoDB.
The latest GeoDB updates can be downloaded under ADMIN -> Content Update.
If this still does not correct the issue, the IP can be contested here: https://www.fortiguard.com/faq/ipge.
|
