Geo Country Name showing wrong country
Greetings Protect People,
I have created a rule which triggers if someone connects VPN from other country than Mongolia.
But it seems the IP and country table of Arcsight hasn't updated for some time, and showing me incorrect Geo Country Name. Notification showing me VPN client has connected from United States, and I checked the Public Ip address by using domaintools whois, and it shows that IP belongs to Mongolia.
Did anyone face this issue?
How can I update the Geo and IP address info?
Actually the information is not derived from a DNS lookup but rather from a GeoIP lookup based on a MaxMind database. The MaxMind database is updated as part of the content subscription: if you are subscribed you can download the content update to get the latest version.
Some caveats and tips:
- Express 4 and older:
- I believe the update does not support express 4 and older. If you are on Express 4, it is time to upgrade to 6.9.1 anyway.
- You could use the process outlined here to update yourself an Express 4 using a database from the MaxMind web site. I think you will need to use the MaxMind legacy database as outlined a few responses later.
- ESM or later version Express:
- If you don't have content subscription, you can still update directly from MaxMind using the new format of the database. I didn't check if the instructions for applying the files are the same.
- ArcSight ships the free version of MaxMind. You can buy the commercial version and use the same instructions to update ESM or Express (using the right version - legacy or new) to get more accurate results.
What about the which i can see HPE SW ARST Context Entitlement September 2016 in my download section on the HPE website. Wouldn't the update of context update solve this issue ?