Chronicle - January 31st, 2023 [Change]

## Change Geolocation enrichment from an IP address Chronicle provides geolocation data enrichment (GeoIP data) for external IP addresses to enable more powerful rule detections and greater context for investigations. Chronicle uses location data provided by Google to provide an approximate geographic location for an external IP address. For more information, see: * [How Chronicle enriches event and entity data](https://cloud.google.com/chronicle/docs/event-processing/data-enrichment) * [How to use context-enriched data in rules](https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules) * [Use context enriched data in UDM Search](https://cloud.google.com/chronicle/docs/investigation/use-enriched-data-in-search) * [Use context enriched data in reports](https://cloud.google.com/chronicle/docs/reports/use-enriched-data-in-reports) ## Change The [Chronicle Curated Detections](https://cloud.google.com/chronicle/docs/detection/curated-detections) \> [Cloud Threats policy](https://cloud.google.com/chronicle/docs/detection/cloud-threats-category) has been enhanced with the following changes: * Admin Action rule set: added a new exclusion list, called `gcti__cld__admin_action__network_http_user_agent__exclusion_list` that enables you to exclude events based on the HTTP User Agent string. * IAM Abuse rule set: added a new exclusion list, called, `gcti__cld__iamabuse__network_http_user_agent__exclusion_list` that enables you to exclude events based on the HTTP User Agent string.