Newbie question regarding maps

Hello community,

i checked to find the answer searching but maybe the question is to easy

how do i configure an overlay in a map so that every "point" where a network communication ended has a tooltip with the "owner" of the ip range?

I am sure i saw something like tihs just after insalling my test environment.

I saw dot's on the map for every network endpoint and if i moved the mouse over is saw an info - mostly *.microsoft.com.

What is my aim - after having this map i want to exclude all microsoft domains to see if traffic is going somewhere else in the world.

Any help with this question?

Thx a lot...

Hello @GKre, welcome to our community.

You mean a text on the map like the label of a city, or a pop up with that info that shows up when clicking on the point? In maps application:

• the first is called a label and you can render one field as a label with many parameters configured on the panel at the end of the layer options
• the second is called a tooltip and is configured in the Tooltip fields panel

Quick recording of configuring both settings with the Kibana Flightts sample dataset, showing the average price as tooltips and labels.

To do that you can add a filter to that layer in the Filtering panel so only that layer is affected by your expression.

Continuing the previous example filtering flights with an average price lower than 500.

These settings and much more are documented at the Kibana Maps documentation but let us know if there's something we can improve to clarify how the app works

Hello and thank you for the "super good" explanation.

It was not the "handling" of creating the overlay but a more simple problem - i needed to find the right field

In my case i now use "destination.as.organization.name" that is solving my needs.

I added some exclusions for standard orgs like microsoft and akamai.
What i get as a result is a map with all the destinations that had been connected and i can see very fast if there's one in an unusual location.

Great for me - this is helping a lot if i want to check for any "un-normal" traffic.

About the improvement - i am "overloaded" with the information that is available and what is behind this. Maybe a list of "common" field with an explanation would be fine?

What i am also missing is the "URL" of the connection if it's maybe an https request. Having this available would make it much easier to identify potential malicious traffic.

I tested "Elastic Defend" but got a different issue (see seperate post from today) and not the field with the url.

--> Is it possible to collect this info as a field from an integration?

Best wishes
G.

Please open a separate issue since that seems not related to maps. To be honest I'm not being able to fully follow the issue so I would suggest to simplify and add as much context as possible for folks to assist. Good luck!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.