Configure network map data
editConfigure network map data
editDepending on your Kibana setup, to display and interact with data on the Network page’s map you might need to:
To see source and destination connections lines on the map, you must
configure source.geo and destination.geo ECS fields for your indices.
Create Kibana index patterns
editTo display map data, you must define Kibana index patterns (Stack Management → Index Patterns) that match the names or glob patterns used to define Elastic Security indices.
The Elastic Security indices are defined in the securitysolution:defaultIndex field
(Kibana → Stack Management → Advanced Settings → securitysolution:defaultIndex).
For example, if you define an Elastic Security servers-europe-* glob pattern,
to display map data for the matching indices you must also define a Kibana index
pattern that matches servers-europe-*, such as servers-*.
Add geoIP data
editWhen the ECS source.geo.location and destination.geo.location fields are mapped, network data is displayed on the map.
If you use Beats, configure a geoIP processor to add data to the relevant fields:
-
Define an ingest node pipeline that uses one or more
geoIPprocessors to add location information to events. For example, use the Console in Kibana to create the following pipeline:PUT _ingest/pipeline/geoip-info { "description": "Add geoip info", "processors": [ { "geoip": { "field": "client.ip", "target_field": "client.geo", "ignore_missing": true } }, { "geoip": { "field": "source.ip", "target_field": "source.geo", "ignore_missing": true } }, { "geoip": { "field": "destination.ip", "target_field": "destination.geo", "ignore_missing": true } }, { "geoip": { "field": "server.ip", "target_field": "server.geo", "ignore_missing": true } }, { "geoip": { "field": "host.ip", "target_field": "host.geo", "ignore_missing": true } } ] }In this example, the pipeline ID is
geoip-info.fieldspecifies the field that contains the IP address to use for the geographical lookup, andtarget_fieldis the field that will hold the geographical information."ignore_missing": trueconfigures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.An example ingest pipeline that uses the GeoLite2-ASN.mmdb database to add autonomous system number (ASN) fields can be found here.
-
In your Beats configuration files, add the pipeline to the `output.elasticsearch`tag:
The value of this field must be the same as the ingest pipeline name in step 1 (
geoip-infoin this example).
Map your internal network
editIf you want to add your network’s internal IP addresses to the map, define geo
location fields under the processors tag in the Beats configuration files
on your hosts:
processors:
- add_host_metadata:
- add_cloud_metadata: ~
- add_fields:
when.network.source.ip: <private/IP address>
fields:
source.geo.location:
lat: <latitude coordinate>
lon: <longitude coordinate>
target: ''
- add_fields:
when.network.destination.ip: <private/IP address>
fields:
destination.geo.location:
lat: <latitude coordinate>
lon: <longitude coordinate>
target: ''
You can also enrich your data with other host fields.