search

GeoIP

This transformation determines the geographic location of the IP addresses contained in the event, and calculates networking values attending at the connection direction and type of IP address. By analyzing an IP, GeoIP can estimate where the related asset is located.

The platform enriches events with next GeoIP information:

  • Country name

  • Country code

  • City name

  • Coordinates (latitude & longitude)

  • ISP or Organization

  • Postal code

Additionally, the platform enriches the events with pre-computed IP addresses characteristicas, which is useful to investigate and create alerts:

Field
Posible values
Description

sourceAddressType destinationAddressType

  • private

  • public

Assists in the creation of detection filters and criteria by eliminating the need to use broad private IP range filters on the sourceAddress and destinationAddress fields.

sourcePortType destinationPortType

  • well-known

  • registered

  • dynamic

  • Well-known: ports from 0 to 1024

  • Registered: ports from 1024 to 49151

  • Dynamic: ports from 49151 to 65535

connectionDirection

  • toInternet

  • fromInternet

  • internal

  • external

  • toInternet: from private IP address to public IP address

  • fromInternet: from public IP address to private IP address

  • internal: from private IP address to private IP address

  • external: from public IP address to public IP address

This transformation will require next fields to work:

  • sourceAddress

  • destinationAddress

  • sourcePort

  • destinationPort

So if your events have this information in different field names, use the "Rename fields" or "Copy fields" transformation before using this GeoIP transformation.

PreviousEnrichmentNextThreat Intelligence

Last updated