7.6.1 SIEM not showing packetbeat flow asn info

willemdh · March 26, 2020, 9:07pm

Hello,

I was trying to enrich our flow data a bit from our Packetbeat data. Adding geoip data worked fine and showed up in SIEM, but I have some isues getting ASN info shown correctly in SIEM.

So I made this processor:

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    }
  ]
}

And added pipeline: "geoip-info" to the output in packetbeat.yml.

The as fields are added to the packetbeat data:

But for some reason the ASN data is not shown in SIEM.

Not sure why, I did notice a difference and that there is also as.organization.name in the latest ECS versions. Maybe SIEM doesn't work with as.organization_name?

Grtz

Willem

willemdh · March 26, 2020, 9:35pm

Hello,

I can confirm that when I rename the organization_name as field to organization.name, it works..

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "client.as.organization_name",
        "target_field": "client.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "source.ip",
        "target_field": "source.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "source.as.organization_name",
        "target_field": "source.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "destination.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "destination.ip",
        "target_field": "organization_name",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "destination.as.organization_name",
        "target_field": "destination.as.organization.name",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.geo",
        "ignore_missing": true
      }
    },
    {
      "geoip": {
        "field": "server.ip",
        "target_field": "server.as",
        "database_file": "GeoLite2-ASN.mmdb",
        "ignore_missing": true
      }
    },
    {
      "rename": {
        "field": "server.as.organization_name",
        "target_field": "server.as.organization.name",
        "ignore_missing": true
      }
    }
  ]
}

This seems to imply that the geoip ingest processor needs to be updated? Having to rename those fields is not very optimal. Also the documentation doesn't mention this anywhere.

Grtz

Willem

system · April 23, 2020, 9:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.