Map IP Address to geolocation and use of the anomaly detector

Hello everyone,
i am using the wazuh software combined with ELK. I get some ip adress from Wazuh and i want to find the corresponding geolocation. How i can do that. Furthermore, i want to use the anomaly detector in order to find anormal behavior: e.g when a user has always an germany ip adress and suddenly has an french IP Adress. How i can realize it? Thank you

Hi @Vannessa_Kemeni

Elasticsearch includes a GeoIP processor that can be used when ingesting data to get the GeoLocation for an IP address. Read more about GeoIP Processor

For machine learning, I will direct you to the Machine Learning Getting Started documentation. That should walk you through building your first machine learning job and you should be able to adapt that to your use case.

Hi @corey.robertson ,
i have read the documentation but i did not correctly understand it.
I want to enrich some data, that are already in elastick search.
when i use this command, what happens? Should I define the file for those i want to add this info or this command add automatically the geolocation to all data.
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "ip"
}
}
]
}

@Vannessa_Kemeni

Here's a simple example of putting in a doc with an ip, and then reindexing it to a new index using the geoip processor, which will give you the geoip data

PUT my-index-00001/_doc/my_id
{
  "ip": "8.8.8.8"
}
GET my-index-00001/_doc/my_id
PUT _ingest/pipeline/geoip
{
  "description" : "Add geoip info",
  "processors" : [
    {
      "geoip" : {
        "field" : "ip"
      }
    }
  ]
}

POST _reindex
{
  "source": {
    "index": "my-index-00001"
  },
  "dest": {
    "index": "newindex",
    "pipeline": "geoip"
  }
}

GET newindex/_doc/my_id

Hi @corey.robertson ,
i have noticed that the ip adresses are all private, I have made some researched in the forum for finding how to convert it into a location and i found that.

 if [client_address] =~ /^10\./  {
  mutate { replace      => { "[geoip][timezone]"      => "Pacific/Auckland" } }
  mutate { replace     .....
} else {
  geoip {
    source => "client_address"
    target => "geoip"
    add_tag => [ "nginx-geoip" ]
  }
}

How i can use it? I don't really understant how that works. Can you please help me?