ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Captain
Captain
1285 views

GEO Country Code

Jump to solution

Does anyone know how the GEO information is defined within ESM?  If I look at an event and it says "CHINA = Destination Geo Country Name", how did it calculate that?

Thanks!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

It's dynamic, but the updated geo info is in the monthly context update.  I'm actually working on a rule as we speak to track OWA access attempts from outside the US, especially those naughty countries

View solution in original post

0 Likes
7 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

It's from the IP registries on the internet (ARIN, APNIC, and others) based on where the registries say the subnet is located.  I'd also venture a guess they pull AS info to help narrow it down further.  One caveat - it's not always accurate.  I've had it say that a legit subnet is Dark Space, so take it with a grain of salt.

0 Likes
Captain
Captain

Thank you Chris.

So, by the sounds of it, this is dynamic and could change over time?  Or is ESM packaged with the information from ARIN etc. and it never updates?

I am asking because, we are looking to build content around the country codes (the naughty countries) and I want to have confidence that it will be accurate.


Thanks again.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

It's dynamic, but the updated geo info is in the monthly context update.  I'm actually working on a rule as we speak to track OWA access attempts from outside the US, especially those naughty countries

View solution in original post

0 Likes
Captain
Captain

Thanks Chris.  I appreciate the help!

0 Likes
Absent Member.
Absent Member.

They use MaxMind GeoIP database. There is another thread about this:

https://protect724.arcsight.com/click.jspa?searchID=95658&objectType=2&objectID=6761.

0 Likes
Captain
Captain

One more question (it's related):  Do asset zones get updated in the same manner?  Obviously our internal assets wouldn't be, but I'm talking about the "ArcSight System" stuff i.e. Dark Address Space Zones.

Thank you!

0 Likes
Absent Member.. Absent Member..
Absent Member..

Those zones are normally only updated when doing major ArcSight upgrades. They change between 4.x and 5.0 for example. The GeoIP database provided by ArcSight is updated as part of the Context update and is released every month or so. You can also update it yourself by using the free or for $$ version you can get directly from MaxMind as well.

Dean

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.