I have an index that I've created that follows the ECS standard. Within the index I have the source.as.* and destination.as.* fields that are populated using the GeoLite2ASN database. The fields are being populated in the index, but the network section of SIEM doesn't display them. The main page nor the drilled down view of the IP shows this information. I verified with the "inspect" feature that I am populating the right fields. This is on version 7.4.0 if that matters.
Here's a sample that doesn't show the ASN in SIEM, but does show in searches. Any ideas what I might be missing/doing incorrectly?
{
"source": {
"ip": "192.168.1.1",
"interface": "X16",
"mac": "00:00:00:00:00:00",
"bytes": 119311,
"port": "62190"
},
"agent": {
"type": "logstash",
"name": "vDEVLOG1"
},
"observer": {
"type": "firewall",
"ip": "1.1.1.1",
"serial_number": "NA",
"vendor": "unknown"
},
"message": "%{[message][1]}",
"destination": {
"port": "443",
"as": {
"asn": 46489,
"as_org": "Twitch Interactive Inc.",
"ip": "52.223.226.232"
},
"interface": "X5",
"ip": "52.223.226.232",
"geo": {
"location": {
"lat": 47.6348,
"lon": -122.3451
},
"longitude": -122.3451,
"country_code3": "US",
"postal_code": "98109",
"region_code": "WA",
"continent_code": "NA",
"city_name": "Seattle",
"ip": "52.223.226.232",
"latitude": 47.6348,
"dma_code": 819,
"region_name": "Washington",
"country_code2": "US",
"timezone": "America/Los_Angeles",
"country_name": "United States"
},
"bytes": 17384244,
"mac": "40:a6:e8:5f:ba:d6"
},
"network": {
"protocol": "https",
"transport": "tcp",
"bytes": 17503555
},
"host": {
"ip": "192.168.1.1"
},
"url": {
"domain": "video-edge-eddcc8.ord02.abs.hls.ttvnw.net",
"path": "/v1/"
},
"@version": "1",
"id": "a-fw",
"tags": [
"syslog",
"unknown",
"privateip_source"
],
"@timestamp": "2019-10-31T23:00:02.000Z",
"_index": "syslog-1.0-000028",
"_type": "_doc",
"_id": "aKUMJG4B3alxQ_lAFsNy",
"_score": 1
}