Filebeat - How to add GeoIP data for field data.parameters.alert.data.srcip ?

[Sylmarch]

Hello,

we are using Wazuh v4.3.3 and Wazuh Indexer / Wazuh Dashboard.

We have build custom dashboards for alerts that have been generated by rule 651 (= Host Blocked by firewall-drop Active Response).

Now, we want to show in a map widget the location of the dropped IPs.

I have notice that some ingested events into Wazuh Indexer have been enriched with 4 geo IP fields:

• GeoLocation.city_name
• GeoLocation.country_name
• GeoLocation.location
• GeoLocation.region_name

As far as I understand, the events are enriched by the Filebeat agent and only a few fields are processed (especially data.srcip):

cat /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
{
  "description": "Wazuh alerts pipeline",
  "processors": [
    { "json" : { "field" : "message", "add_to_root": true } },
    {
      "geoip": {
        "field": "data.srcip",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.win.eventdata.ipAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.aws.sourceIPAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.gcp.jsonPayload.sourceIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },

...

However, generated alerts for rule 651 do not have a data.src field but a data.parameters.alert.data.srcip field that is not currently processed by the Wazuh Filebeat module (maybe should I open an issue and/or a PR when I'll manage to fix my problem).

I have tried to :

1) Add this section in the /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json file. I do not change the target fields to be compliant with the wazuh-template:

    {
      "geoip": {
        "field": "data.parameters.alert.data.srcip",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },

2) Restart the filebeat service

3) Make a new web request, from a public IP, that is dropped by rule 651

However, I do not see any field GeoLocation.* in the new event on the Wazuh dashboard, even if I see the field data.parameters.alert.data.srcip...

Could you explain me what's wrong with my attempt?

Is there any additional action to perform to ask Filebeat to reload the Wazuh module configuration?

Thank you.

[Javier Castro]

Hello,

the steps that you followed look good to me, but maybe Filebeat doesn't update the pipeline when you restart it. You can force this by executing:

filebeat setup --pipelines --modules wazuh

As a reminder, you should modify the pipeline.json file and execute the command in every Wazuh manager in your environment.

Hope that helps!

[Sylmarch]

Great, it works!

Thanks again to the Wazuh team for your availability and quick answers.

[Sylmarch]

Just for future readers.

Issues:

• Filebeat - Ingest ISO country code by default (field country_iso_code) #13765
• Filebeat - Process data.parameters.alert.data.srcip field to add geoip data #13766

Pull request:

• Ingest country iso code + Process data.parameters.alert.data.srcip field to add geoip data #13769