Utilize GeoLocation Field

[Yossif Helmy]

Hello,

Is there a way to utilize the GeoLocation.country_name in the rules?

[Olusegun Adenrele Oyebo]

Hello Yossif,

The field GeoLocation.country_name is enriched by Wazuh-Indexer based on some alert's IP fields. This step takes place at a higher level of the stack than when the events are matched to the rules. That is why you might see the field in the final event but it is not considered to trigger the alert. That field is not available during the alert processing. The important thing to understand here is that by default the geolocation information is not available at the moment that the event is being analyzed for rule matching. 
To workaround this you can compile the Wazuh Server enabling the USE_GEOIP flag

In order to create rules that can use geolocation, you must build Wazuh with the flag USE_GEOIP=yes.
It also requires a GeoIP database: We support the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format. It should be converted to the legacy format using an external tool. You can check the below links which could be useful for you in this case:

• https://github.com/wazuh/wazuh/issues/24985
• https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-server/index.html

Best regards.

[Yossif Helmy]

Hello Olusegunm,

Will creating a workaround by adding the desired country list(s) directly into a CDB list cause an issue? The list is 1k to 2k IPs

[Olusegun Adenrele Oyebo]

Hello Yossif,

There is no limit to the amount to add. You can add as many as you want. However, using a long CDB list could cause the API more time to load and can cause a timeout error,

I hope this provided clarity. We remain attentive to your queries.

Best regards.