it states "Description: Customize this variable to identify your Corporation's Geolocations. It is set to United States on default."
does anyone know where I can get more information on the format used in the SIEM?
I have found entries from the event windows and added them and still get alerts for the same entries, I have finally tuned the rule using it off..
While in Policy Editor > Varilable > Reputation > CORP_GEOS > select the Funnel to select your corporations Geo Locations. CTRL+Click will allow for multiple locations.
Are you using Zone's with Geo-Locations set for your locations, if using private address space? This will allow you to specify by IP Range, and then set the Geo-Location information.