IP GeoLocation Rules

 

The LimaCharlie geolocation API (api/ip-geo) enables you to use geolocation information about an IP address as part of your real-time Detection & Response rules.

What does this mean? Your D&R rules can query geo information about an IP address as a lookup rule and then act based on its content.

This information can be used to generate important context for analysts. Global organizations often have employees traveling around the globe and it is no secret that bringing assets into certain countries can open them up to compromise. Being able to determine if an asset has been in country X during the last 3 months can be a useful piece of information when doing threat hunting or incident response.

Geolocation

An example of this kind of detection is as follows.

Detection:
op: and
rules:
  - op: is tagged
    tag: recently-in-china
    not: true
    event: CONNECTED
  - op: lookup
    resource: lcr://api/ip-geo
    path: event/ext_ip
    metadata_rules:
      op: is
      path: country/iso_code
      value: CN
      not: true
Response:
- action: add tag
  tag: recently-in-china

This is of course just one type of usage. You could geo-fence certain users on sensitive assets using the network-isolation feature, you could redirect alerts to the relevant SOC based on location - the beauty of the D&R rules is that you can adapt and make them relevant to your organizations in ways we could never predict.

The full documentation on the geolocation and format of the data is available here.

Happy hunting!