Hello and thank you for the "super good" explanation.
It was not the "handling" of creating the overlay but a more simple problem - i needed to find the right field
In my case i now use "destination.as.organization.name" that is solving my needs.
I added some exclusions for standard orgs like microsoft and akamai.
What i get as a result is a map with all the destinations that had been connected and i can see very fast if there's one in an unusual location.
Great for me - this is helping a lot if i want to check for any "un-normal" traffic.
About the improvement - i am "overloaded" with the information that is available and what is behind this. Maybe a list of "common" field with an explanation would be fine?
What i am also missing is the "URL" of the connection if it's maybe an https request. Having this available would make it much easier to identify potential malicious traffic.
I tested "Elastic Defend" but got a different issue (see seperate post from today) and not the field with the url.
--> Is it possible to collect this info as a field from an integration?
Please open a separate issue since that seems not related to maps. To be honest I'm not being able to fully follow the issue so I would suggest to simplify and add as much context as possible for folks to assist. Good luck!