Welcome to another Security Analyst Diary entry. We embarked on a journey to drive context-aware detections and enrich ingested data with actionable information for our customers. As part of driving that insight, we have a new and effective addition to drive enhanced context: GeoIP. Check out the video podcast of this diary entry.
Chronicle SIEM enables analysts to drive impactful security operations, context-driven detections, investigations and enable a faster threat response. In today’s Security Analyst Diary we’re going to cover:
-
What is GeoIP and how do we enrich the data ?
-
Building relevant UDM search queries based on GeoIP
-
Building YARA-L detection rules
-
Using GeoIP Dashboards via Looker and interesting BigQuery uses
Let’s begin!
What is GeoIP and how do we enrich the data?
In its most simplistic definition, GeoIP is the process of providing a geographic location based on a public IP address, e.g., the IP address 1.2.3.4 is in the United States (country_or_region), Alaska (state). Chronicle SIEM now has native and automatic GeoIP enrichment which can be used for search and detection use cases.
Additionally, we make the enrichment actionable for driving new capabilities in the SOC. GeoIP data is enriched into the Chronicle UDM objects:
-
Principal
-
Target
-
Src
-
Observer
| GeoIP Enrichment | UDM Path |
| Location, e.g., United States | .location.country_or_region |
| State, e.g., New York | .location.state |
| Longitude | .location.region_longitude |
| Latitude | .location.region_latitude |
Here is a sample example of how the data looks like for the individual UDM objects:
| src.location.country_or_region | Nederland |
| src.location.region_latitude | 52.132633 |
| src.location.region_longitude | 5.291266 |
Chronicle SIEM uses CLDR format for Country names. An example of country formats can be found at their GitHub page.
Let’s go through some use cases.
Building relevant UDM search queries based on GeoIP
GeoIP-enriched UDM can be used via UDM Search. Here are a few examples to get started with:
By Country Name (country_or_region)
src.location.country_or_region = "Nederland" OR principal.location.country_or_region = "Nederland"
|
By State (state)
src.location.state = "Noord-Holland" OR principal.location.state = "Noord-Holland"
|
By Longitud & Latitude
Note: UDM Search does not support longitude and latitude, today. Stay tuned for updates, and see the section below on using BigQuery.
Putting it together we can use start to craft searches, in addition to UDM, for activity to unauthorized target geographies:
metadata.event_type = "NETWORK_CONNECTION" AND ( target.location.country_or_region = "Cuba" OR target.location.country_or_region = "Iran" OR target.location.country_or_region = "North Korea" OR target.location.country_or_region = "Russia" OR target.location.country_or_region = "Syria"}
|
Hey, I can’t see GeoIP enriched UDM fields in the UI?
Context Enriched fields are displayed in UDM grid views, e.g., UDM Search, Detection View, User View, but they are not visible in the Event Viewer.
Building YARA-L detection rules
This is where it gets really impactful and exciting. GeoIP-enriched UDM can be used via Chronicle SIEM’s detection engine. Let’s look at an example which can detect if a user entity is authenticating from multiple distinct states. This is a simple and powerful use case that can help drive impactful alarms within the SOC to detect login compromises.
rule geoip_user_login_multiple_states_within_1d { meta: author = "demo" description = "Detect multiple authentication attempts from multiple distinct locations using Chronicle GeoIP enriched UDM." severity = "INFORMATIONAL" events: $geoip.metadata.event_type = "USER_LOGIN" ( $geoip.metadata.vendor_name = "Google Workspace" or $geoip.metadata.vendor_name = "Google Cloud Platform" ) /* optionally, detect distinct locations at a country level ( $geoip.principal.location.country_or_region != "" and $geoip.principal.location.country_or_region = $country ) ( $geoip.principal.location.state != "" and $geoip.principal.location.state = $state ) * / $geoip.target.user.email_addresses = $user match: $user over 1d condition: $geoip and #state > 1 }
|
Using GeoIP dashboards via Looker, and interesting BigQuery uses
UDM enriched GeoIP data can be used via Chronicle’s embedded Looker powered Dashboards, or the Looker Marketplace.
Example of GeoIP UDM enrichment
Note: A native field of Location will be released in the near future to support the Looker Map visualization.
Chronicle SIEM data lake, aka BigQuery
Finally, UDM location data can be queried via BigQuery. Here’s an example SQL query to return aggregate results for all USER LOGIN events by user, by country, with the first and last observed times.
SELECT principal.location.country_or_region, COUNT(principal.location.country_or_region) AS count_country, principal.location.state, COUNT(principal.location.state) AS count_state, target.user.email_addresses[ORDINAL(1)] AS principal_user, TIMESTAMP_SECONDS(MIN(metadata.event_timestamp.seconds)) AS first_observed, TIMESTAMP_SECONDS(MAX(metadata.event_timestamp.seconds)) AS last_observed, FROM `chronicle-coe.datalake.udm_events`WHERE DATE(_PARTITIONTIME) = "2022-07-04"AND metadata.event_type = 15001AND metadata.vendor_name IN ("Google Cloud Platform","Google Workspace")GROUP BY 1,3,5HAVING count_country > 0ORDER BY count_country DESC
And the results:
|
country_or_region |
count_country |
state |
count_state |
principal_user |
first_observed |
last_observed |
|
Nederland |
5 |
Noord-Holland |
5 |
admin@acme.com |
2022-07-04T08:54:55Z |
2022-07-04T19:24:55Z |
|
Israel |
1 |
מחוז תל אביב |
1 |
omri@acme.com |
2022-07-04T05:03:55Z |
2022-07-04T05:03:55Z |
With Chronicle’s data lake you have access to longitude and latitude coordinates, which in turn means you can use BigQuery Geospatial functions.
For example, to detect the distance between two geographies, you can use a BigQuery SQL like below:
SELECT principal_user, ( ST_DISTANCE ( north_pole,user_location )/ 1000 ) AS distance_to_north_pole_km FROM ( SELECT ST_GeogPoint ( 135.00 , 90.00 ) AS north_pole, ST_GeogPoint ( principal.location.region_longitude, principal.location.region_latitude ) AS user_location, target .user.email_addresses [ ORDINAL ( 1 )] AS principal_user FROM `chronicle-coe.datalake.udm_events` WHERE DATE ( _PARTITIONTIME ) >= "2022-07-04" AND metadata. event_type = 15001 AND metadata.vendor_name IN ( "Google Cloud Platform" , "Google Workspace" ) AND principal.location. country_or_region != "" ) ORDER BY 2 DESCAnswer the important questions, we now know which user is closest to the North pole.
| principal_user | distance_to_north_pole_km |
| omri@acme.com | 6438.98507 |
| admin@acme.com | 4167.527018 |
However, you can achieve slightly more useful queries by leveraging area polygons, e.g, calculate a reasonable area for travel from a location in a given interval, and check if multiple geography values match, i.e., impossible travel detections, but with the caveat of having an accurate and consistent GeoIp source.
Updating Existing Log Sources
In order to not break existing search or detections that were reliant on values populated into UDM’s location noun, if an existing data type is populated via CBN, it will not be overwritten by native GeoIP enrichment.
Summary
We look forward to hearing from customers and driving towards goals of securing the enterprise at scale with these enrichments and use cases.
To learn more about these integrations and capabilities, contact your Google Cloud Platform sales or CSM team. You can learn more about all these new capabilities in Google Chronicle in our product documentation.
Don't forget to look at the video podcast of this entry. Looking forward to sharing another story in another Security Analyst Diary.