Logstash and Maxmind - Not Just for GEOIP Anymore
The Logstash MaxMind filter enriches documents with GeoIP information from the open-source MaxMind database. But did you know that you can customize this filter to enrich documents with all kinds of other IP-related data? MaxMind uses its own database, which enables very fast searching based on IP address. Our experience is that this is the very best way to retrieve any type of IP-based information and store it upon ingestion without impacting performance.
We demonstrate how to create customized instances of the MaxMind database and associated Logstash filters to enrich documents with all kinds of other information, such as:
- Internal network descriptive information, such as segment and subnet, stored in IPAM or another network management tool;
- Information on individual internal endpoints, such as sensitivity, criticality, known vulnerabilities, compliance status, machine state;
- Threat intelligence on external IP addresses, derived from sources such as MISP, including severity, exploit type, intelligence reliability, and aging.