- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Configure network map data
editConfigure network map data
editDepending on your setup, to display and interact with data on the Network page’s map you might need to:
To see source and destination connections lines on the map, you must
configure source.geo and destination.geo ECS fields for your indices.
Permissions required
editTo view the map, you need the appropriate predefined user role or a custom role with at least Read privileges for the Maps feature.
Create data views
editTo display map data, you must define a
data view (Project settings → Management → Data views) that includes one or more of the indices specified in the securitysolution:defaultIndex field in advanced settings.
For example, to display data that is stored in indices matching the index pattern servers-europe-* on the map, you must use a data view whose index pattern matches servers-europe-*, such as servers-*.
Add geoIP data
editWhen the ECS source.geo.location and destination.geo.location fields are mapped, network data is displayed on the map.
If you use Beats, configure a geoIP processor to add data to the relevant fields:
-
Define an ingest node pipeline that uses one or more
geoIPprocessors to add location information to events. For example, use the Console in Dev tools to create the following pipeline:PUT _ingest/pipeline/geoip-info { "description": "Add geoip info", "processors": [ { "geoip": { "field": "client.ip", "target_field": "client.geo", "ignore_missing": true } }, { "geoip": { "field": "source.ip", "target_field": "source.geo", "ignore_missing": true } }, { "geoip": { "field": "destination.ip", "target_field": "destination.geo", "ignore_missing": true } }, { "geoip": { "field": "server.ip", "target_field": "server.geo", "ignore_missing": true } }, { "geoip": { "field": "host.ip", "target_field": "host.geo", "ignore_missing": true } } ] }
In this example, the pipeline ID is
geoip-info.fieldspecifies the field that contains the IP address to use for the geographical lookup, andtarget_fieldis the field that will hold the geographical information."ignore_missing": trueconfigures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.An example ingest pipeline that uses the GeoLite2-ASN.mmdb database to add autonomous system number (ASN) fields can be found here.
-
In your Beats configuration files, add the pipeline to the
output.elasticsearchtag:The value of this field must be the same as the ingest pipeline name in step 1 (
geoip-infoin this example).
Map your internal network
editIf you want to add your network’s internal IP addresses to the map, define geo
location fields under the processors tag in the Beats configuration files
on your hosts:
processors: - add_host_metadata: - add_cloud_metadata: ~ - add_fields: when.network.source.ip: <private/IP address> fields: source.geo.location: lat: <latitude coordinate> lon: <longitude coordinate> target: '' - add_fields: when.network.destination.ip: <private/IP address> fields: destination.geo.location: lat: <latitude coordinate> lon: <longitude coordinate> target: ''
You can also enrich your data with other host fields.