Man715
August 1, 2020, 9:03pm
1
I have not been able to find any information about this issue. Also, I am very new to the elastic stack.
I am using the ealsticsearch pipeline to enrich my logs with geoip data as seen in here: https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-3-geoip-data-and-beats-config-review
Any help, guidance, or direction to further reading would be greatly appreciated.
Thank you.
Hi Arron,
Welcome to the Elastic stack. Thank you for reaching out! My recommendation would be to follow this documentation and make sure that all of your source and destination geo data is mapped correctly: https://www.elastic.co/guide/en/siem/guide/current/conf-map-ui.html
There is also a blog post about this feature. There is a gif that shows what you should be seeing: https://www.elastic.co/blog/integrating-maps-into-elastic-siem
Please let me know if you are able to get this working. If you have trouble, posting your mappings.json would be helpful. Thanks!
Steph
Man715
August 3, 2020, 8:06pm
3
Steph,
Thank you for the response.
I am not sure what mappings.json you would like to see. The following are the ones on my server:
/usr/share/kibana/src/legacy/core_plugins/kibana/mappings.json
/usr/share/kibana/src/legacy/core_plugins/timelion/mappings.json
/usr/share/kibana/x-pack/legacy/plugins/maps/mappings.json
/usr/share/kibana/x-pack/plugins/actions/server/saved_objects/mappings.json
/usr/share/kibana/x-pack/plugins/alerting/server/saved_objects/mappings.json
/usr/share/kibana/x-pack/plugins/event_log/generated/mappings.json
/usr/share/kibana/x-pack/plugins/lists/server/services/items/list_item_mappings.json
/usr/share/kibana/x-pack/plugins/lists/server/services/lists/list_mappings.json
/usr/share/kibana/x-pack/plugins/task_manager/server/saved_objects/mappings.json
I do have some entries that look like this:
Aug 3, 2020 @ 14:21:51.035 255.255.255.255 - 192.168.0.19 {
"lon": ********,
"lat": *********
}
I appears that broadcast addresses and loopback address does not get the geoip data when
Would this cause this type of an issue?
Man715
August 4, 2020, 3:30pm
4
Steph,
I spoke with James Spiteri on the Slack channel who explained how to get what you requested.
As there is a character limit for each post, I have the packetbeat mapping in pastebin. Please let me know if this is not acceptable.
I have noticed this issue as well. Depending on zoom levels some data shows and some does not.
This has been consistent since day 1 of the feature.
I finally have a way of actually showing it, as seen above.
All geo point data exists, it just seems like it doesn't quite render fully. Happy to provide more details, please let me know.
This is WinLogBeat data via SysMon and process network connections.
Man715
August 5, 2020, 8:31pm
6
Yeah, I am also able to see the destination bytes for each path even though it eventually disappears and I never get to see the destination IP.
Also, did you change the icons? I have pink dots for destination and a blue house for the source, which I really would like to change.
I was not in the SIEM app. I was using the Maps visualization and created my own layers.
system
September 2, 2020, 8:48pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
