Skip to main content

GeoIP Lookups

Now that we have a GeoIP database in place, we can configure a Stream Pipeline to execute the lookup. We're going to add a GeoIP Function to the firewall_enrich Pipeline.

important

  1. Click on the Cribl upper tab (if it doesn't have focus).

  2. In the Stream UI's top nav, make sure Manage is active.

  3. From the submenu, select Processing > Pipelines.

  4. On the Pipelines page, find and click on the firewall_enrich Pipeline. (To display this first column's header and contents, you might need to drag the pane and column dividers toward the right.)

  5. In the Stream UI's right pane, make sure Sample Data has focus. Then click on Simple (at the lower right), to the right of the pan_firewall_traffic_conditioned.log sample name.

  6. Click the OUT button toward the top of the right pane. You should see 50 pan:traffic events, with green highlights for fields the Pipeline is adding in that pane, like this: Sample Events

  7. Click Add Function near the top of the left pane, and either find GeoIP in the Standard submenu, or type GeoIP into the search box to Locate it. Then click GeoIP to add this Function to the Pipeline.

  8. In the new GeoIP Function, enter the following field values:

    FieldValue
    GeoIP File (.mmdb)GeoLite2-City.mmdb
    IP Fieldsrc_ip
    Result Fieldsrc_geoip

    The Function should look now like this (we've added an optional Description value): GeoIP Function

  9. Click Save.

Records in the right output pane should now display a new src_geoip field: if the src_ip field value is a private address (aka rfc 1918 address space), it will show as a null value, otherwise it will be a json object. You can click any src_geoip field to expand its multiple nested fields.

At this point, the data that is going to the Elasticsearch/Kibana environment is also enriched with the src_geoip field. Let's take a look.

important
  1. Click the Kibana - Events upper tab, and hit Refresh near the top of the embedded Kibana frame to see the most recent events. If you expand the first event, you should see a series of fields whose names start with src_geoip..
  2. Click the Kibana - Map upper tab, and hit Refresh near the top of the embedded Kibana frame to map the most recent events. You should now see a number of countries change color. If you hover your mouse over any of them, you'll see a tooltip telling you how many events came from that country.

If you get lost in the Kibana interface, click the expansion icon at the bottom left of the Kibana UI, and it will show you the full navigation.

Our Compromised Layer is still showing no data, so next, let's get the threat feed enrichment going.