Enricher - MaxMind GeoIP#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

MaxMind GeoIP

Input

Ipv4.

Output

Enriches input IP addresses with geographic location information it polls from an offline MaxMind GeoLite2-City database. Geographic accuracy is at city level.

Mount point

/absolute/path/to/GeoLite2-City.mmdb

Description

The MaxMind GeoIP enricher maps input IP addresses to their corresponding geographic locations by polling data from an offline MaxMind database.

Note

The default Source reliability value for this enricher is A – Fairly reliable.
You can change it to a different reliability value, as needed.

Configure the enricher parameters#

The default Source reliability value for this enricher is A — Completely reliable.
You can change it to a different reliability value, as needed.

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the enricher.

  3. In the Path to database field, enter the absolute path to the offline, locally stored GeoLite2-City.mmdb database file in MaxMind DB format.
    Example: /media/data/GeoLite2-City.mmdb*.
    *By default, private IP addresses and multicast/reserved ranges are excluded.
    Therefore, it is not possible to pass search queries containing IP address values in the following ranges:

    • 10.

    • 172.16.

    • 172.31.

    • 192.168.

    • 224.0.

    • 224.3.

    • 224.4.

    • 232.

    • 233.

    • 234.

    • 239.

  4. To store your changes, click Save; to discard them, click Cancel.

Additional information#

Based on the input IP values, the enricher searches the source GeoLite2-City.mmdb offline database for matches.
Matches are stored in the platform as enrichment observables related to the corresponding input IP address(es).

The MaxMind GeoIP enricher can produce the following enrichment observable types for an input IP address:

Observable type

Example value

Notes

city

Ojo Caliente

The city name as retrieved from the GeoLite2-City database.

country

United States

The country name as retrieved from the GeoLite2-City database.

country

New Mexico

The name of the subdivision region the input IP address refers to. For example, the name of a region, province, district, or prefecture.

country-code

US

2-character ISO 3166-1 string identifying the country

country-code

NM

2 or 3-character ISO 3166-2 string identifying the country subdivision region.

geo-lat

36.2991398*

Latitude values are approximate.

geo-long

-106.03678985

Longitude values are approximate.

postcode

87549

The postcode associated with the input IP address.

Mapping information#

Desired mapping:

  • response.country.name -> extract-type:country

  • response.country.iso_code -> extract-type:country-code

  • response.city.name -> extract-type:city

  • response.postal.code -> extract-type:postcode

  • response.location.latitude -> extract-type:geo-lat

  • response.location.longitude -> extract-type:geo-long