Forum Discussion
Analytics rule: Successful logon from IP and failure from a different IP
Hi All, I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because...
msef280 you could add the logic in the query to exclude your known addresses
| where IPAddress != "10.10.10.10"
or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious
Hi m_zorich ,
Is there any way I can exclude the subnet range? let's say out vpn address first 3 octatate is always 165.225.208.*
Is there any way I can exclude the subnet range? let's say out vpn address first 3 octatate is always 165.225.208.*