Tag Country, State and City Information to Zeek Elasticsearch Entries
Hello friends,
I hope everyone has been able to stay safe and healthy.
I have been adding features to my Zeek and Elasticsearch environments, in this installment I will show how to add custom country, state and city information to your Elasticsearch entries based upon source and destination IP networks. It’s a game changer in my opinion when I use the default Zeek dashboards and the SIEM functions. It will enhance the mapping functions available and enrich your data.
If you’ve setup your Zeek and Elasticsearch instances similarly to my own on the Raspberry PI you can add some functionality to Filebeat to include geolocation information for certain conditions. In my case I’ve setup my /etc/filebeat/filebeat.yml as follows near the bottom of the file in the “- add_fields” register:
- add_fields: when.network.source.ip: private fields: source.geo.location: lat: <find latititude> lon: <find longitude> source.geo.continent_name: <Insert your continent> source.geo.country_iso_code: <Insert your country's ISO code> source.geo.region_iso_code: <Insert your region ISO code> source.geo.region_name: <Insert the region name> source.geo.city_name: <Insert the city name> target: '' - add_fields: when.network.destination.ip: private fields: destination.geo.location: lat: <find latititude> lon: <find longitude> destination.geo.continent_name: <Insert your continent> destination.geo.country_iso_code: <Insert your country's ISO code> destination.geo.region_iso_code: <Insert your region ISO code> destination.geo.region_name: <Insert the region name> destination.geo.city_name: <Insert the city name> target: ''
In the case above I have setup the private IP address space to report back a specific location for the source and destination private IPs. You can replace private and add any networks in single or CIDR notations, each network (to my knowledge) requires it’s own entry. Ideally you setup source and destination entries for your hosts and networks as to not default to your ISP’s known information.
The variables are as follows for source and destination settings:
lat: Map latitude of the location you’re trying to map, can be found on Google Maps
lon:Map longitude of the location you want to map.
geo.continent_name: Type in the continent name, ex:Europe
geo.country_iso_code: Each country has an ISO 3166 standard designated country code, ex: US for the United States. A list is available at:https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
geo.region_iso_code: In the chosen country, some bigger countries also have state and province codes, ex US-NY for New York state. A list is available at: https://en.wikipedia.org/wiki/ISO_3166-2
geo.region_name: You can also insert the name of the province or state here.
geo.city_name: Insert the name of the city your network is in here.
Save your file, restart Filebeat on the collecting Zeek instance and then check to make sure logs are being transmitted to Elasticsearch. If so you should see some newly added data keys in your index around the country, city etc and more precise mapping if you also added the latitude and longitude to the entries.
On my Elasticsearch & Kibana instance it looks like this through the security module:
Hope this saves you same time and effort and enriches your data!