You have to perform manual actions to add the country names. Please check the license agreement with MaxMind to see whether you can use the paid or free GeoIP database. This would save us from performing VLOOKUPS. We are not sure why MaxMind does not simply make a pre-compiled English version of the GeoIP database available and ready for use. Please be aware malicious actors nowadays can use (compromised) systems from the same geolocation as your HQ to launch an attack.ĭue to MaxMind licensing constraints, we cannot share the final CSV GeoIP database file. However, in most cases, the database is accurate enough to leverage it for KQL queries to identify from where sessions are established, unless IPs are spoofed, lateral movement is applied, or a VPN is used. This GeoIP location database is never entirely accurate. This should result in the following CountryGeoIP.csv file:įigure 1: Country GeoIP database in CSV format Next, apply VLOOKUPs functions in Python or Excel to match the country ID with the English country name. You must create an account and download the latest version of the GeoLite2-Country-CSV file. The database contains all public IPv4 ranges allocated to countries by the Internet Assigned Numbers Authority (IANA) via the regional Internet registries (RIRs). However, the paid version of the database should be slightly more accurate. We picked MaxMind, which provides an excellent free database. There is a whole business model around GeoIP databases. This is somewhat similar of what Microsoft advises us to do with the ipv4_lookup plugin, but without creating an external_data connection to an online database. This way, we can map every GeoIP country of all log messages (which contain an IP variable). Instead of using an API, we download a complete database of all IP-ranges per country. These API integrations are more practical for specific SIEM use cases and Incident Response. Again, these APIs have rate-limits in-place at the third-party vendor side. They can enrich IPs when flagged for possible malicious use or being hijacked. Furthermore, it is rather network-intensive.ĪlienVault OTX, Abuse.ch, and VirusTotal integrate with Sentinel and can apply SOAR-based GeoIP lookups. The API has a limit of 100 calls, per user, per hour. This API can be useful in specific scenarios, but not for big chunks of ingested Syslog data. Microsoft Sentinel provides an API to apply GeoIP enrichment. This blog post elaborates on how to configure Sentinel GeoIP enrichment on a country basis. This can be a shortcoming when you need to create a specific SIEM use case to detect or block activity outside of your organizational trusted geographical boundaries. Not all sources are shipped with geographical enrichment of the IP-address within a log message. Sentinel SIEM can ingest data from different sources such as appliances, applications, and cloud platforms. Cryptsus Blog | We craft cyber security solutions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |