7.6.1 SIEM not showing packetbeat flow asn info

willemdh · March 26, 2020, 9:07pm

Hello,

I was trying to enrich our flow data a bit from our Packetbeat data. Adding geoip data worked fine and showed up in SIEM, but I have some isues getting ASN info shown correctly in SIEM.

So I made this processor:

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    }
  ]
}

And added pipeline: "geoip-info" to the output in packetbeat.yml.

The as fields are added to the packetbeat data:

But for some reason the ASN data is not shown in SIEM.

Not sure why, I did notice a difference and that there is also as.organization.name in the latest ECS versions. Maybe SIEM doesn't work with as.organization_name?

Grtz

Willem

willemdh · March 26, 2020, 9:35pm

Hello,

I can confirm that when I rename the organization_name as field to organization.name, it works..

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "client.as.organization_name",
        "target_field": "client.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "source.as.organization_name",
        "target_field": "source.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "organization_name",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "destination.as.organization_name",
        "target_field": "destination.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "server.as.organization_name",
        "target_field": "server.as.organization.name",
        "ignore_missing": true
      }
    }
  ]
}

This seems to imply that the geoip ingest processor needs to be updated? Having to rename those fields is not very optimal. Also the documentation doesn't mention this anywhere.

Grtz

Willem

system · April 23, 2020, 9:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I'm not seeing any geoip data from my zeek logs in my SIEM map SIEM	3	938	September 9, 2019
Elastic-agent - Custom logs - no asn fields Elastic Agent filebeat	5	210	April 7, 2024
GeoIP mapping returns wrong results Beats packetbeat	4	412	November 13, 2020
Forgot how to get geoip enrichment to work for packetbeat Beats packetbeat , ingest-pipeline	2	398	January 11, 2023
Geoip pipeline creation issue Elasticsearch	6	433	March 28, 2019

7.6.1 SIEM not showing packetbeat flow asn info

Related Topics