Security Analyst Diaries #5: GeoIP enrichment on Chronicle SecOps

Welcome to another Security Analyst Diary entry. We embarked on a journey to drive context-aware detections and enrich ingested data with actionable information for our customers. As part of driving that insight, we have a new and effective addition to drive enhanced context: GeoIP.  Check out the video podcast of this diary entry.

Chronicle SIEM enables analysts to drive impactful security operations, context-driven detections, investigations and enable a faster threat response. In today’s Security Analyst Diary we’re going to cover:

  1. What is GeoIP and how do we enrich the data ?

  2. Building relevant UDM search queries based on GeoIP

  3. Building YARA-L detection rules

  4. Using GeoIP Dashboards via Looker and interesting BigQuery uses

Let’s begin!

What is GeoIP and how do we enrich the data?

In its most simplistic definition, GeoIP is the process of providing a geographic location based on a public IP address, e.g., the IP address 1.2.3.4 is in the United States (country_or_region), Alaska (state). Chronicle SIEM now has native and automatic GeoIP enrichment which can be used for search and detection use cases.

Additionally, we make the enrichment actionable for driving new capabilities in the SOC. GeoIP data is enriched into the Chronicle UDM objects:

  • Principal

  • Target

  • Src

  • Observer

GeoIP Enrichment UDM Path
Location, e.g., United States .location.country_or_region
State, e.g., New York .location.state
Longitude .location.region_longitude
Latitude .location.region_latitude

Here is a sample example of how the data looks like for the individual UDM objects:

src.location.country_or_region Nederland
src.location.region_latitude 52.132633
src.location.region_longitude 5.291266
 


Chronicle SIEM uses
CLDR format for Country names.  An example of country formats can be found at their GitHub page. 

Let’s go through some use cases.

Building relevant UDM search queries based on GeoIP

GeoIP-enriched UDM can be used via UDM Search. Here are a few examples to get started with:

By Country Name (country_or_region)

src.location.country_or_region = "Nederland" OR principal.location.country_or_region = "Nederland"

                

By State (state)

src.location.state = "Noord-Holland" OR principal.location.state = "Noord-Holland"

By Longitud & Latitude

Note: UDM Search does not support longitude and latitude, today.  Stay tuned for updates, and see the section below on using BigQuery.

Putting it together we can use start to craft searches, in addition to UDM, for activity to unauthorized target geographies:
 

metadata.event_type = "NETWORK_CONNECTION" AND ( target.location.country_or_region = "Cuba" OR target.location.country_or_region = "Iran" OR target.location.country_or_region = "North Korea" OR target.location.country_or_region = "Russia" OR target.location.country_or_region = "Syria"}

 

Hey, I can’t see GeoIP enriched UDM fields in the UI?

Context Enriched fields are displayed in UDM grid views, e.g., UDM Search, Detection View, User View, but they are not visible in the Event Viewer.

Building YARA-L detection rules

This is where it gets really impactful and exciting. GeoIP-enriched UDM can be used via Chronicle SIEM’s detection engine. Let’s look at an example which can detect if a user entity is authenticating from multiple distinct states. This is a simple and powerful use case that can help drive impactful alarms within the SOC to detect login compromises.

rule geoip_user_login_multiple_states_within_1d { meta: author = "demo" description = "Detect multiple authentication attempts from multiple distinct locations using Chronicle GeoIP enriched UDM." severity = "INFORMATIONAL" events: $geoip.metadata.event_type = "USER_LOGIN" ( $geoip.metadata.vendor_name = "Google Workspace" or $geoip.metadata.vendor_name = "Google Cloud Platform" ) /* optionally, detect distinct locations at a country level ( $geoip.principal.location.country_or_region != "" and $geoip.principal.location.country_or_region = $country ) ( $geoip.principal.location.state != "" and $geoip.principal.location.state = $state ) * / $geoip.target.user.email_addresses = $user match: $user over 1d condition: $geoip and #state > 1 }

 

Using GeoIP dashboards via Looker, and interesting BigQuery uses


UDM enriched GeoIP data can be used via Chronicle’s embedded Looker powered Dashboards, or the Looker Marketplace. 

Example of GeoIP UDM enrichment

 

Note: A native field of Location will be released in the near future to support the Looker Map visualization.

Chronicle SIEM data lake, aka BigQuery

Finally, UDM location data can be queried via BigQuery.  Here’s an example SQL query to return aggregate results for all USER LOGIN events by user, by country, with the first and last observed times.

SELECT principal.location.country_or_region, COUNT(principal.location.country_or_region) AS count_country, principal.location.state, COUNT(principal.location.state) AS count_state, target.user.email_addresses[ORDINAL(1)] AS principal_user, TIMESTAMP_SECONDS(MIN(metadata.event_timestamp.seconds)) AS first_observed, TIMESTAMP_SECONDS(MAX(metadata.event_timestamp.seconds)) AS last_observed, FROM `chronicle-coe.datalake.udm_events`WHERE DATE(_PARTITIONTIME) = "2022-07-04"AND metadata.event_type = 15001AND metadata.vendor_name IN ("Google Cloud Platform","Google Workspace")GROUP BY 1,3,5HAVING count_country > 0ORDER BY count_country DESC

 

And the results:

 

country_or_region

count_country

state

count_state

principal_user

first_observed

last_observed

Nederland

5

Noord-Holland

5

admin@acme.com

2022-07-04T08:54:55Z

2022-07-04T19:24:55Z

Israel

1

מחוז תל אביב

1

omri@acme.com

2022-07-04T05:03:55Z

2022-07-04T05:03:55Z

With Chronicle’s data lake you have access to longitude and latitude coordinates, which in turn means you can use BigQuery Geospatial functions.

For example, to detect the distance between two geographies, you can use a BigQuery SQL like below:


                
SELECT principal_user, ( ST_DISTANCE ( north_pole,user_location )/ 1000 ) AS distance_to_north_pole_km FROM ( SELECT ST_GeogPoint ( 135.00 , 90.00 ) AS north_pole, ST_GeogPoint ( principal.location.region_longitude, principal.location.region_latitude ) AS user_location, target .user.email_addresses [ ORDINAL ( 1 )] AS principal_user FROM `chronicle-coe.datalake.udm_events` WHERE DATE ( _PARTITIONTIME ) >= "2022-07-04" AND metadata. event_type = 15001 AND metadata.vendor_name IN ( "Google Cloud Platform" , "Google Workspace" ) AND principal.location. country_or_region != "" ) ORDER BY 2 DESCAnswer the important questions, we now know which user is closest to the North pole.

principal_user distance_to_north_pole_km
omri@acme.com 6438.98507
admin@acme.com 4167.527018


However, you can achieve slightly more useful queries by leveraging area polygons, e.g, calculate a reasonable area for travel from a location in a given interval, and check if multiple geography values match, i.e.,
impossible travel detections, but with the caveat of having an accurate and consistent GeoIp source.

Updating Existing Log Sources

In order to not break existing search or detections that were reliant on values populated into UDM’s location noun, if an existing data type is populated via CBN, it will not be overwritten by native GeoIP enrichment.

Summary

We look forward to hearing from customers and driving towards goals of securing the enterprise at scale with these enrichments and use cases.

To learn more about these integrations and capabilities, contact your Google Cloud Platform sales or CSM team. You can learn more about all these new capabilities in Google Chronicle in our product documentation

Don't forget to look at the video podcast of this entry. Looking forward to sharing another story in another Security Analyst Diary.

Let’s work together
Ready for Google-speed threat detection and response?
Contact us