IP GeoLocation Rules


The LimaCharlie geolocation API (api/ip-geo) enables you to use geolocation information about an IP address as part of your real-time Detection & Response rules.

What does this mean? Your D&R rules can query geo information about an IP address as a lookup rule and then act based on its content.

This information can be used to generate important context for analysts. Global organizations often have employees traveling around the globe and it is no secret that bringing assets into certain countries can open them up to compromise. Being able to determine if an asset has been in country X during the last 3 months can be a useful piece of information when doing threat hunting or incident response.


An example of this kind of detection is as follows.

op: and
- op: is tagged
tag: recently-in-china
not: true
- op: lookup
resource: lcr://api/ip-geo
path: event/ext_ip
op: is
path: country/iso_code
value: CN
not: true

- action: add tag
tag: recently-in-china

This is of course just one type of usage. You could geo-fence certain users on sensitive assets using the network-isolation feature, you could redirect alerts to the relevant SOC based on location - the beauty of the D&R rules is that you can adapt and make them relevant to your organizations in ways we could never predict.

The full documentation on the geolocation and format of the data is available here.

Happy hunting!