USE GEO LOCATION COUNTRY NAME IN RULE

[Mohammad Awais Javaid]

I have tried to use geo location country name in rules in sid but that never happens. No rule is triggered using the geo location country name field. it appears in the document but not be used by new rules which I am trying to write. 

Is there any solution to this, I dont want to go with work around to build manager from sources since I need to do this in my production servers, but I need a proper method  to handle this situation. 

Can any one help me with this?

Regards 

Awais

[Emiliano Zorn]

Hi!

The GeoIP data is added to the events in a higher level of the stack, that's why you can see it in the final events but it can't be used to trigger alerts.

If you want to make the Wazuh manager capable of using the GeoIP data for alerts, it's necessary to compile the manager with the USE_GEOIP  flag enabled (Available flags). Also, you have to download the GeoLite2 legacy database and convert it with the geolite2legacy tool. 

The whole process is already described in this previous answer, don't hesitate in making any question you have:

https://groups.google.com/g/wazuh/c/ZYCavRdVPoo/m/6Ni8xzutAQAJ

There are also some open issues on Github related to this feature 
Include GeoIP support for missing source IP fields in Wazuh's Filebeat pipeline.json files, using field normalization #11097

Enable GeoIP & Location data in Wazuh #4496