Mapping Internal Network for SIEM Network Map - Not showing

teej · September 2, 2020, 10:08pm

I am not sure I am making the correct assumption but I thought that if I added

  processors:
   - add_host_metadata:
   - add_cloud_metadata: ~
   - add_fields:
       when.network.source.ip: 10.10.10.10/24 
       fields:
         source.geo.location:
           lat: something.number_here
           lon: -something.number_here
       target: ''

to the filebeat yml, that I would be able to see the machine appear in the SIEM's Network Map tab - but that's not happening. Question is, was I wrong to believe that adding those fields would make the machine show up in the Network Map? Or am I missing a step somewhere?

Also, wasnt sure what value "target" would receive.

Thank you.

warkolm · September 2, 2020, 10:10pm

I can't speak to the SIEM component, but is that field mapped as a geo_point in Elasticsearch?

teej · September 9, 2020, 1:16pm

Hi Warkolm,
Essentally I was follwoing the instructions on:
https://www.elastic.co/guide/en/siem/guide/current/conf-map-ui.html#private-network
Which I thought would create the internal geo_point in its index.

system · October 7, 2020, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.