User metadata as field

kbering · May 15, 2024, 4:13pm

Hello

Is it possible to overwrite the field client.as.organization.name using the user metadata file User-Defined Metadata | ElastiFlow ?

Best regards

Kaare

egraham · May 15, 2024, 4:53pm

Hi Kaare,

Yes you can use the same field name in the ipaddrs.yml to overwrite the value for a specific IP subnet, range or host IP.

Eric

kbering · May 17, 2024, 10:51am

Ok, so I have tried this in ipaddres.yml:

10.10.0.0/24:
  client.as.organization.name: "companyA"

But the value stays PRIVATE can I overrule this?

dxturner · May 17, 2024, 12:22pm

Is EF_PROCESSOR_ENRICH_IPADDR_METADATA_ENABLE in flowcoll.yml set to true?

Should the syntax in ipaddrs.yml be?

10.10.0.0/24:
  metadata:
     client.as.organization.name: "companyA"

kbering · May 17, 2024, 1:07pm

I have this i the settings, and other metadata settings are working fine:

      EF_PROCESSOR_ENRICH_IPADDR_METADATA_ENABLE: 'true'
      EF_PROCESSOR_ENRICH_IPADDR_METADATA_USERDEF_PATH: '/etc/elastiflow/metadata/ipaddrs.yml'
      EF_PROCESSOR_ENRICH_IPADDR_METADATA_REFRESH_RATE: 15

Putting the client.as.organization.name under metadata does not change the PRIVATE value

system · June 16, 2024, 1:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Abount netif.yml ElastiFlow Community flow-collector	2	33	August 1, 2024
ElastiFlow (flow): Mitre ATT&CK Saved Objects Not Working ElastiFlow Community flow-collector	2	22	September 7, 2024
Rename interface ElastiFlow Community	3	58	July 14, 2024
IPPORT Enricher not working ElastiFlow Community	3	7	August 29, 2024
The interface is not recognized ElastiFlow Community kibana , dashboards , elasticsearch , flow-collector	10	97	July 18, 2024

User metadata as field

Related Topics