Viewing Our Data
First, let's take a look at the data flowing into the sandbox. We've got three tabs across the top of the right pane: Cribl (currently highlighted), Kibana - Map (described just below), and Kibana - Events (the Kibana discovery browser page).
Kibana - Map is a map view we've created, with two layers on it – one to represent the magnitude of traffic originating in a country, and another representing how many "compromised" IPs are originating traffic in that country.
Kibana sometimes takes a little longer to spin up, so you might see Kibana server is not ready yet. If so, wait a minute and reload the page.
Take a look at the data we have coming in.
- Click on the
Kibana - Eventstab. - Expand any of the records you see, taking note of the fields present in the event.
You should not see any field names that start with
src_geoip, or the fieldcompromised. - Click on the
Kibana - Maptab. You should see a map of the world and a layers palette like this:
These layers are how we'll be representing data on this map. But the circles with lines across them indicate that there is currently no data for each layer. We'll be creating that data in this exercise by adding the src_geoip and compromised fields via our lookups.
Lookup Data
We will be using the basic "Lookup" function, which utilizes a CSV file as a source. This file needs to be present on the filesystem for Stream to use it. Users can add lookups via the UI or have them present on disk where Stream workers can access them.
There are other Lookup sources supported in Stream such as: DNS, Redis, MongoDB, and others!
For this sandbox, we've preloaded the MaxMind GeoLite2 Free DB for geo lookups and a threat list CSV lookup as well. To do this in your own environment, you'd need to either buy a subscription to a provider like Maxmind, or grab a free DB. For the threat list, we've got a copy of the "compromised‑ips.txt" file from the Emerging Threats feed (published by ProofPoint), from rules.emergingthreats.net.
Now, let's get started!