garmao Absent Member.
Absent Member.
256 views

ArcSight add IP Country block information

Jump to solution

Hello,

I'm using ArcSight v6 and I'm trying to figure out the best way to add ip block country information to the various entry I receive on the ESM, this would allow me to create reports and analyze where the attacks coming from.

I thought the best way would be to create a structure as various Zones, in this way ArcSight would automatically add this information for me, but I would need to find a reliable database of "netblocks/countries" and also keep it updated, and I'm reading about concerns of having too many Zones.

Do you have any suggestion on how to approach this need?

thanks a lot

Gabriele

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
jorgeoa Honored Contributor.
Honored Contributor.

Re: ArcSight add IP Country block information

Jump to solution

Hello Gabriele,

I think you could use the geoip location info added to the events by the esm. This includes the country code/name. The database used by the esm is the Maxmind GeoIP City (almost in Express).

Regards,

Jorge

0 Likes
1 Reply
Highlighted
jorgeoa Honored Contributor.
Honored Contributor.

Re: ArcSight add IP Country block information

Jump to solution

Hello Gabriele,

I think you could use the geoip location info added to the events by the esm. This includes the country code/name. The database used by the esm is the Maxmind GeoIP City (almost in Express).

Regards,

Jorge

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.