Security Operations Platform arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Partners arrow_forward expand_more
Resources arrow_forward expand_more
Security Operations Platform arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Partners arrow_forward expand_more
Resources arrow_forward expand_more
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
Using Automated GeoIP Enrichment in Chronicle

This month we released geolocation-enriched data that enables users to automatically gain additional context around the geolocation of events out of the box. Specifically, all routable IPs within customer data are now enriched with the following information: country, state or province, latitude/longitude coordinates, ASN (autonomous system number), carrier name, organization name, and DNS domain.  

GeoIP, while often taken for granted, is one of the key areas where a SIEM can really shine. If done right, enrichment can create a very targeted set of use cases. Typically systems handle enrichment in a clunky manner–often using a freemium database that is incomplete and rarely updated. 

Google's proprietary technology powers our GeoIP enrichment, Chronicle automatically updates contextual data and is built to handle high volumes. Let’s take a look at how it works and how to use it!

How it works

GeoIP enrichment is handled inline within Chronicle’s Unified Data Model (UDM). Chronicle normalizes logs and events upon ingestion, which means it knows the IPs associated with events early in the pipeline, and can enrich the events with GeoIP information immediately. 

For example, a NETWORK_CONNECTION is being made from 144.217.65.235 to an internal resource inside the Google Cloud Platform, such as a Virtual Machine, with an internal IP of 10.128.0.22.

This event would be parsed and the string 144.217.65.235 is mapped to principal.ip and 10.128.0.22 to target.ip. Chronicle’s enrichment service will provide additional contextual information about the principal.ip such as country, state, latitude and longitude.

Additional contextual information such as ASN (autonomous system number), carrier name, organization name and DNS domain may also be available. GeoIP context is available with no scale or performance considerations on the analyst’s part and can be used throughout Chronicle.

As you would expect, you can leverage Chronicle’s fast and effective search capabilities to include GeoIP enrichment. Let’s see this in action.

The following example will return all USER_LOGIN events where the external user IP is geolocated to California.

principal.ip_geo_artifact.location.state = "California" AND metadata.event_type = "USER_LOGIN"

This search returned 4,445 user login events from California over the past 30 days. The events section includes the event timestamp, username, IP address of the user (IPv4 or IPv6), and the GeoIP enriched data such as country and state.

How to use GeoIP enrichment inside the Detection Engine using YARA-L

GeoIP enrichment can also be used in Chronicle’s Detection Engine. Let's demonstrate with an “impossible traveler” example. The following illustrates how to detect if any user has successfully authenticated from multiple states within the same or different countries in an hour.

rule geoip_user_login_multiple_states_or_countries_within_1h {

 meta:

   author = "Chronicle"

   description = "Detect multiple user logins from multiple states or countries using Chronicle GeoIP enrichment."

   severity = "INFORMATIONAL"

 events:

   $login.metadata.event_type = "USER_LOGIN"

   $login.security_result.action = "ALLOW"

   $login.principal.ip_geo_artifact.location.country_or_region != ""

   $login.principal.ip_geo_artifact.location.country_or_region = $country

   $login.principal.ip_geo_artifact.location.state  = $state

   $login.metadata.product_name = $product

   $login.target.user.userid = $user

 match:

   $user, $product over 1h

 outcome:

   $dc_state = count_distinct($login.principal.ip_geo_artifact.location.state)

   $array_state = array_distinct($login.principal.ip_geo_artifact.location.state)

   $dc_country_or_region = count_distinct($login.principal.ip_geo_artifact.location.country_or_region)

   $array_country_or_region = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)

   $array_asn = array_distinct($login.principal.ip_geo_artifact.network.asn)

   $array_carrier_name = array_distinct($login.principal.ip_geo_artifact.network.carrier_name)

 condition:

   #country >= 1 and #state >= 2

}

The results of this rule indicate that a user successfully authenticated to Google Cloud Platform from two different countries within three minutes–United States (Virginia) and Spain (Madrid).

This example detection can be a good starting point to look for geographically unusual login events, and is intended to illustrate how the GeoIP enrichment can be used within Chronicle’s Detection Engine.

How to use GeoIP enrichment to visualize data with Looker dashboards

Because Chronicle creates enrichment values early in the pipeline, both BigQuery and Chronicle’s embedded dashboards can leverage the GeoIP data. 

Looker incorporates Google Maps, which allow us to create visualizations overlaid to a map. The map below displays the failed user login events by location and volume, where the size of the circle indicates a greater volume of failed login events.

Will this override my existing enrichment?

Chronicle augments any existing enrichments offered by the log sources. For example, Akamai WAF for NETWORK_HTTP event types have a pre-enriched geolocation field that comes in the log source. 

"clientIP": "165.225.93.11",  "geo": {     "country": "ES"   }

In the Akamai WAF parser, the clientIP is mapped to principal.ip and geo.country to principal.location.country_or_region. Chronicle’s enrichment will not override these values, it will simply add its own enrichment to principal.ip_geo_artifact.location.country_or_region. This way, the analyst can choose to leverage GeoIP enrichment from the log source, Chronicle or both.

GeoIP enrichment is readily available in Chronicle. GeoIP enriched fields are also displayed in UDM grid views, e.g., UDM Search, Detection View, User View and in the UDM Event viewer.

With Chronicle, early stage enrichment removes the burden from analysts, allowing them to leverage added context for search and detection immediately in contrast to downstream (alert time) or even search time enrichments. Analysts can focus on investigation rather than finessing data into intermediary tables. Taking this one step further, enrichment within the data pipeline also removes the burden from SOAR because all data has context available to it. The SOAR can then focus on playbooks that streamline the analyst response.

Summary

In this blog post, we showed you what GeoIP enrichment is and how you can use it in rules, searches and dashboards. Chronicle’s GeoIP enrichment provides users the following capabilities:

  • Extremely high volume enrichment - every log, every data source, every petabyte can be enriched, without any additional action by the analyst 

  • High accuracy enrichment - enrichment data is powered by Google’s proprietary Intelligence Services

  • Enrichment at the source -  enrichment at ingestion allows analysts to utilize this context downstream in every aspect of the pipeline (search, detection, data lake and visualization)

  • Inline use in rules and search - analysts can simply search for contextual data like any other field, for example:

principal.ip_geo_artifact.location.country_or_region = "United States"

  • Automatically update core capabilities - no more manual updates to forget to apply or separate paid subscriptions

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page