LogStash & MaxMind - it's not just for GeoIP any more!
The LogStash MaxMind filter enriches documents with GeoIP information from the open source MaxMind database. But did you know that you can customize this filter to enrich documents with all kinds of other IP-related data? MaxMind uses its own database, which enables very fast searching based on IP address. Our experience is that this is the very best way to retrieve any type of IP-based information and store it upon ingestion without impacting performance. We demonstrate how to create customized instances of the MaxMind database and associated LogStash filters to enrich documents with all all kinds of other information, such as:
Internal network descriptive information, such as segment and subnet, stored in IPAM or another network management tool;
Information on individual internal endpoints, such as sensitivity, criticality, known vulnerabilities, compliance status, machine state;
Threat intelligence on an external IP addresses, derived from sources such as MISP, including severity, exploit type, intelligence reliability and aging.
In this presentation, we will share real-world client experiences, including cookbooks, limitations and gotchas. Attendees will learn when and how to implement LogStash MaxMind custom DBs and filters for their own use-cases.