This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

IP_ADDRESS entity metadata (AS / ASN)

Posted a month ago
chrisd2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello guys,

I'm trying to use the AS a given public IP is part of in the detection logic of a rule.
I can see the metadata in the "Overview" results of the UDM search for a public IP (see entity.artifact.network.asn) :

chrisd2_0-1744208827661.png

Issue :

In my rule I'm trying to use the entity graph to enrich the results (cannot use auto-enriched fields because the IP lays in network.dns.answers.data, would've been too easy ๐Ÿ˜…) but it seems that I cannot access the same data than what I see in the "Overview" pane. From rule results, the only entity data I have for the same IP is from DERIVED_CONTEXT and does not contains the AS metadata :

chrisd2_1-1744207757545.png

What am I missing ? How can I retrieve the AS from a rule in order to use it in the filtering logic or outcome section ?

0 2 148
0 Likes
2 REPLIES 2
Top Solution Authors
View all