Re: IP_ADDRESS entity metadata (AS / ASN)

chrisd2

Hello guys,

I'm trying to use the AS a given public IP is part of in the detection logic of a rule.
I can see the metadata in the "Overview" results of the UDM search for a public IP (see entity.artifact.network.asn) :

Issue :

In my rule I'm trying to use the entity graph to enrich the results (cannot use auto-enriched fields because the IP lays in network.dns.answers.data, would've been too easy 😅) but it seems that I cannot access the same data than what I see in the "Overview" pane. From rule results, the only entity data I have for the same IP is from DERIVED_CONTEXT and does not contains the AS metadata :

What am I missing ? How can I retrieve the AS from a rule in order to use it in the filtering logic or outcome section ?

kentphelps

Let me know if these other Community entries help out at all:
https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Issue-with-YARA-L/m-p/841157
https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-UDM-Searches-in-Da...

chrisd2

Hello @kentphelps ,

Thanks for you answer !

Unfortunately, I can't apply what is described in those resources. Indeed they make use of auto-enriched fields linked to principal.ip & target.ip, but in my use case the IP address is stored in network.dns.answers.data and this UDM field is not automatically enriched 😞

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

IP_ADDRESS entity metadata (AS / ASN)