I have an alarm for detecting any login outside a few geolocations. I am getting few alerts due to this rule where the users are in the locations but shows s login from outside as the ISP routes through that country as and when the servers are busy.
I am planning to whitelist the subnet from the IP. But there is no option as such. So i have just added the IP from which the traffic was observed.
Is there anyways we can the full IP subnet at once. Please advice.
If you do this via correlation you can add another "Source IP not in 10.0.0.0/16" so this rule will not trigger if the Source ip is in the 10.0.0.0 Network