1. Logpoint Service Desk
  2. Community
  3. SIEM - Searching & Analytics

Using geoip at drilldown

Avatar
Follow
0

Hi,

at

https://servicedesk.logpoint.com/hc/en-us/community/posts/360008777778-How-To-video-Using-GeoIP-with-LogPoint

Kalyan Bhetwal provided the following query:

norm_id=*  destination_address=* -destination_address in HOMENET  | chart count() by destination_address, country order by count() desc limit 10 | process geoip(destination_address) as country

To my comment “With the ‘new’ query it's not possible to make a drill down.” he wrote:

We will have a new feature in upcoming version of logpoint where the geoip used after chart count() will also be present in drilldown. This will solve the drilldown problem.

What about the new feature? At the moment, it’s still not possible to make a drill down.

I use Logpiont 6.12.1.

Best regards,

Hans Vedder

Share This Post:

1 comment

Date Votes
0
Avatar
Rupsan Shrestha

Hello Hans,

This feature is still in the pipeline as there seems to be a simple workaround for this use case. We can apply a static enrichment on the incoming logs by using “ GeoIp_source_address ” enrichment source.

However, this may not work for mapping the destination address traffic as the enrichment source matches the “source_address” not the “destination_address”

We cannot drill down right now as the logs are enriched only at the time of the search lookup when process command is used. This information will not persist in the actual logs if static enrichment is not configured.

We will update regarding this use case once this feature is available through dynamic enrichment.

Please sign in to leave a comment.