Hello everyone,
I am having an issue when it comes to displaying GeoIP fields and AS fields in the SIEM app within Kibana.
I have made sure that the fields get remapped to the appropriate ECS fields. As seen in the screenshot there is no field populated, but when I inspect and view the response gathered, I can see that the information is populated but just not displayed.
I am using logstash to rename, remap the fields and add GeoIP data. I can share that configuration if needed.
I appreciate the help and anyone giving any advice.
Response Data
{
"took": 4,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"max_score": null,
"hits": []
},
"aggregations": {
"host": {
"doc_count": 0,
"results": {
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
},
"destination": {
"doc_count": 10317,
"geo": {
"doc_count": 10317,
"results": {
"hits": {
"total": {
"value": 10317,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "bluecoat-2020.11",
"_type": "_doc",
"_id": "rsHy6HABRlOyzcJIDe9r",
"_score": null,
"_source": {
"destination.geo": {
"location": {
"lon": -83.0235,
"lat": 39.9653
}
},
"destination.geo.city_name": "Columbus",
"destination.geo.country_iso_code": "US",
"destination.geo.region_name": "Ohio",
"destination.geo.continent_name": "NA",
"destination.geo.country_name": "United States",
"destination.geo.region_iso_code": "OH"
},
"sort": [
1583806940000
]
}
]
}
}
},
"as": {
"doc_count": 10317,
"results": {
"hits": {
"total": {
"value": 10317,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "bluecoat-2020.11",
"_type": "_doc",
"_id": "rsHy6HABRlOyzcJIDe9r",
"_score": null,
"_source": {
"destination.as.number": "16509",
"[destination.as.organization.name](http://destination.as.organization.name)": Amazon.com, Inc."
},
"sort": [
1583806940000
]
}
]
}
}
},
"lastSeen": {
"value": 1583806940000,
"value_as_string": "2020-03-10T02:22:20.000Z"
},
"firstSeen": {
"value": 1583806044000,
"value_as_string": "2020-03-10T02:07:24.000Z"
}
},
"source": {
"doc_count": 0,
"geo": {
"doc_count": 0,
"results": {
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
},
"as": {
"doc_count": 0,
"results": {
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
},
"lastSeen": {
"value": null
},
"firstSeen": {
"value": null
}
}
}
}
Network IP Data
Response Data
