network_traffic: add optional GeoIP enrichment (#4822)

Make the enrichment configurable to allow users with very high throughput and no need for geolocation to turn off enrichment, but set to on by default.

Author: efd6

packages/network_traffic/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.0"
+ changes:
+ - description: GeoIP enrich IP addresses.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/4822
 - version: "1.7.1"
  changes:
  - description: Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load

packages/network_traffic/data_stream/amqp/agent/stream/amqp.yml.hbs

@@ -5,6 +5,10 @@ ports:
  - {{p}}
 {{/each}}
 {{/if}}
+fields_under_root: true
+fields:
+ _conf:
+ geoip_enrich: {{geoip_enrich}}
 {{#if max_body_length}}
 max_body_length: {{max_body_length}}
 {{/if}}

packages/network_traffic/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml

@@ -21,6 +21,14 @@ processors:
 - uppercase:
  field: host.mac
  ignore_missing: true
+
+- pipeline:
+ if: ctx._conf?.geoip_enrich != null && ctx._conf.geoip_enrich
+ name: '{{ IngestPipeline "geoip" }}'
+- remove:
+ field: _conf
+ ignore_missing: true
+
 - script:
  description: Remove invalid "network_traffic" term added by packetbeat prior to v8.
  # This string-based comparison is valid while versions are below v10.x.

packages/network_traffic/data_stream/amqp/elasticsearch/ingest_pipeline/geoip.yml

@@ -0,0 +1,91 @@
+---
+description: GeoIP enrichment.
+processors:
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+
+ - geoip:
+ field: server.ip
+ target_field: server.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: server.ip
+ target_field: server.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: server.as.asn
+ target_field: server.as.number
+ ignore_missing: true
+ - rename:
+ field: server.as.organization_name
+ target_field: server.as.organization.name
+ ignore_missing: true
+
+ - geoip:
+ field: client.ip
+ target_field: client.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: client.ip
+ target_field: client.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: client.as.asn
+ target_field: client.as.number
+ ignore_missing: true
+ - rename:
+ field: client.as.organization_name
+ target_field: client.as.organization.name
+ ignore_missing: true
+
+on_failure:
+- set:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"

packages/network_traffic/data_stream/amqp/fields/ecs.yml

@@ -66,3 +66,59 @@
  name: source.ip
 - external: ecs
  name: source.port
+- external: ecs
+ name: client.geo.city_name
+- external: ecs
+ name: client.geo.continent_name
+- external: ecs
+ name: client.geo.country_iso_code
+- external: ecs
+ name: client.geo.country_name
+- external: ecs
+ name: client.geo.location
+- external: ecs
+ name: client.geo.region_iso_code
+- external: ecs
+ name: client.geo.region_name
+- external: ecs
+ name: destination.geo.city_name
+- external: ecs
+ name: destination.geo.continent_name
+- external: ecs
+ name: destination.geo.country_iso_code
+- external: ecs
+ name: destination.geo.country_name
+- external: ecs
+ name: destination.geo.location
+- external: ecs
+ name: destination.geo.region_iso_code
+- external: ecs
+ name: destination.geo.region_name
+- external: ecs
+ name: server.geo.city_name
+- external: ecs
+ name: server.geo.continent_name
+- external: ecs
+ name: server.geo.country_iso_code
+- external: ecs
+ name: server.geo.country_name
+- external: ecs
+ name: server.geo.location
+- external: ecs
+ name: server.geo.region_iso_code
+- external: ecs
+ name: server.geo.region_name
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- external: ecs
+ name: source.geo.location
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name

packages/network_traffic/data_stream/amqp/manifest.yml

@@ -14,6 +14,14 @@ streams:
  required: true
  show_user: true
  default: [5672]
+ - name: geoip_enrich
+ required: true
+ show_user: true
+ title: GeoIP enrich IP addresses
+ description: Perform GeoIP enrichment on IP addresses in events.
+ type: bool
+ multi: false
+ default: true
  - name: monitor_processes
  type: bool
  title: Monitor Processes

packages/network_traffic/data_stream/amqp/sample_event.json

@@ -1,11 +1,11 @@
 {
- "@timestamp": "2022-06-28T23:30:50.532Z",
+ "@timestamp": "2022-12-13T23:20:31.501Z",
  "agent": {
- "ephemeral_id": "a929a7a7-1dba-4961-8b38-b7ef8ed7f1e2",
- "id": "827ce6a9-85bd-4e07-9a7a-4896c17144cd",
+ "ephemeral_id": "aa5ced14-2b74-4cf6-b122-067a35e57cd3",
+ "id": "00a75d9d-728c-4ab5-acb6-9f78082797e7",
  "name": "docker-fleet-agent",
  "type": "packetbeat",
- "version": "8.2.3"
+ "version": "8.4.1"
  },
  "amqp": {
  "auto-delete": false,
@@ -19,7 +19,19 @@
  },
  "client": {
  "bytes": 25,
- "ip": "127.0.0.1",
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1",
  "port": 34222
  },
  "data_stream": {
@@ -29,16 +41,28 @@
  },
  "destination": {
  "bytes": 26,
- "ip": "127.0.0.1",
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1",
  "port": 5672
  },
  "ecs": {
  "version": "8.5.0"
  },
  "elastic_agent": {
- "id": "827ce6a9-85bd-4e07-9a7a-4896c17144cd",
+ "id": "00a75d9d-728c-4ab5-acb6-9f78082797e7",
  "snapshot": false,
- "version": "8.2.3"
+ "version": "8.4.1"
  },
  "event": {
  "action": "amqp.queue.declare",
@@ -47,11 +71,11 @@
  "network"
  ],
  "dataset": "network_traffic.amqp",
- "duration": 1407200,
- "end": "2022-06-28T23:30:50.533Z",
- "ingested": "2022-06-28T23:30:54Z",
+ "duration": 1201362,
+ "end": "2022-12-13T23:20:31.502Z",
+ "ingested": "2022-12-13T23:20:35Z",
  "kind": "event",
- "start": "2022-06-28T23:30:50.532Z",
+ "start": "2022-12-13T23:20:31.501Z",
  "type": [
  "connection",
  "protocol"
@@ -61,11 +85,12 @@
  "architecture": "x86_64",
  "containerized": false,
  "hostname": "docker-fleet-agent",
+ "id": "51511c1493f34922b559a964798246ec",
  "ip": [
- "192.168.48.7"
+ "172.28.0.7"
  ],
  "mac": [
- "02-42-C0-A8-30-07"
+ "02-42-AC-1C-00-07"
  ],
  "name": "docker-fleet-agent",
  "os": {
@@ -94,12 +119,36 @@
  },
  "server": {
  "bytes": 26,
- "ip": "127.0.0.1",
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1",
  "port": 5672
  },
  "source": {
  "bytes": 25,
- "ip": "127.0.0.1",
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
+ },
+ "ip": "175.16.199.1",
  "port": 34222
  },
  "status": "OK",

packages/network_traffic/data_stream/cassandra/agent/stream/cassandra.yml.hbs

@@ -5,6 +5,10 @@ ports:
  - {{p}}
 {{/each}}
 {{/if}}
+fields_under_root: true
+fields:
+ _conf:
+ geoip_enrich: {{geoip_enrich}}
 {{#if send_request}}
 send_request: {{send_request}}
 {{/if}}

packages/network_traffic/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml

@@ -21,6 +21,14 @@ processors:
 - uppercase:
  field: host.mac
  ignore_missing: true
+
+- pipeline:
+ if: ctx._conf?.geoip_enrich != null && ctx._conf.geoip_enrich
+ name: '{{ IngestPipeline "geoip" }}'
+- remove:
+ field: _conf
+ ignore_missing: true
+
 - script:
  description: Remove invalid "network_traffic" term added by packetbeat prior to v8.
  # This string-based comparison is valid while versions are below v10.x.