From 9569e73bd0522686ccd8145e19bec34f91dc5736 Mon Sep 17 00:00:00 2001
From: Dat <tdat.nguyen93@gmail.com>
Date: Wed, 4 Aug 2021 12:28:21 -0700
Subject: [PATCH] Added ASN annotation for IP

---
 salt/elasticsearch/files/ingest/common | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common
index e8e462053..20a9d7f7e 100644
--- a/salt/elasticsearch/files/ingest/common
+++ b/salt/elasticsearch/files/ingest/common
@@ -21,6 +21,26 @@
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
 	}
     },
+    {
+        "geoip":  {
+                "field": "destination.ip",
+                "target_field": "destination_geo",
+                "database_file": "GeoLite2-ASN.mmdb",
+                "ignore_missing": true,
+                "ignore_failure": true,
+                "properties": ["ip", "asn", "organization_name", "network"]
+        }
+    },
+    {
+        "geoip":  {
+                "field": "source.ip",
+                "target_field": "source_geo",
+                "database_file": "GeoLite2-ASN.mmdb",
+                "ignore_missing": true,
+                "ignore_failure": true,
+                "properties": ["ip", "asn", "organization_name", "network"]
+        }
+    },
     { "set":             { "if": "ctx.event?.severity == 1",   "field": "event.severity_label", "value": "low", "override": true }  },
     { "set":             { "if": "ctx.event?.severity == 2",   "field": "event.severity_label", "value": "medium", "override": true }  },
     { "set":             { "if": "ctx.event?.severity == 3",   "field": "event.severity_label", "value": "high", "override": true }  },