Hi,
As you can see in the first image chronicle has considered the following IP was from brazil location but when i checked with the user he denined the travel and when i cross checked the ip location with VT,IP void and abuse ipdb they were showing the ip belongs to USA. can you tell me how to overcome these issues
Chronicle SIEM location mismatch
+3- Bronze 1
+8@Akshay04 thanks for reporting. Please open a customer support case, so that we can investigate and, if appropriate, correct our records moving forward.
+13- Bronze 5
Hi @Akshay04
Chronicle uses a range of different methods to identify the geolocation of an Ip Address, "Google proprietary IP geolocation technology uses a combination of networking data and other inputs and methods to provide IP address location and network resolution for our users. Other organizations may use different signals or methods, which might occasionally lead to different results."[1].
The inconsistency between what Virustotal outputs, and what is ingested within your SIEM, is likely that the country and geolocation outputted in Virustotal is old (by the looks of the screenshot, 1 year ago). In extreme circumstances where the geolocation enrichment is inaccurate, you can open a support ticket where this can be investigated. Other tools use different methods or apis to perform geolocation enrichment, all of which don't have 100% accuracy.
[1] -
https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#inconsistencies
Kind Regards,
Kind Regards,
Ayman
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.