GeoIP

GeoIP integrations automatically enrich your logs with location and Autonomous System (AS) context for IP addresses during ingestion. By matching ip addresses against a GeoIP database as logs are indexed, you can:

Detect activity from unexpected countries, continents, or networks
Investigate incidents faster with geographic and ownership context already embedded in your log data
Filter and group logs by country, continent, ASN, or AS organization just like any other log field
Reduce manual lookups — GeoIP context is searchable and filterable alongside the rest of your data

Scanner syncs GeoIP databases from external providers into MMDB-format lookup tables, then uses those tables to enrich your logs as they're ingested. Once enriched, the GeoIP data becomes part of your searchable log data and can be used in queries and detection rules.

Supported Providers

Scanner currently supports:

IPinfo Lite: a free GeoIP dataset from IPinfo that provides country, continent, and ASN/AS organization information for IPv4 and IPv6 addresses. The dataset is distributed in MMDB format and is updated by IPinfo on an ongoing basis.

IPinfo Lite is the free tier of IPinfo's offering. An IPinfo account and API token are required to download the file even though the dataset itself is free.

Setting Up IPinfo Integration

Prerequisites

You will need:

An IPinfo account and API token from https://ipinfo.io/

Creating the Integration

Add the integration

In Scanner, navigate to Settings → Integrations, click Add Integration, and select IPinfo.

Provide credentials

Enter a descriptive name for the connection and your IPinfo API token.

Create a synced lookup table

Click New Table to create a synced lookup table backed by IPinfo Lite.

Name the table

Provide a name for the synced lookup table. Allow 10–15 minutes for the initial sync to complete and the table to appear in the Library.

Lookup table names cannot be changed after creation, since they're used as identifiers in transformation references.

Finalize

Scanner will automatically create the synced lookup table and keep it up to date with new IPinfo Lite releases. Note: these lookup tables cannot be manually modified.

Auto-Syncing

GeoIP lookup tables are automatically synced on a regular schedule. When you create a new integration, Scanner queues up an initial background sync that typically completes within 10–15 minutes.

During each sync:

Scanner checks IPinfo's published checksum for the dataset and skips the download entirely if the file hasn't changed since the last sync
When the file has changed, Scanner downloads the latest MMDB and atomically replaces the previous version
All transformations referencing the table pick up the new data on subsequent log ingestion

Using IPinfo Enrichment

Once you've set up your IPinfo integration and created a synced lookup table, you can add the Enrich with IPinfo transformation to your Index Rules to automatically enrich logs during ingestion.

This transformation reads an IP address from a configurable field on each event, looks it up in the synced MMDB, and merges location and AS context into the event under a configurable target path.

Parameters

When configuring the transformation in your Index Rule, you'll need to specify:

Variant: The IPinfo dataset to use. Currently only IPinfo Lite is supported.
Lookup Table: A lookup table synced from your IPinfo integration with a matching variant.
Source Path: The field path containing the IP address to enrich (e.g., @ecs.source.ip, @ecs.destination.ip). If the field is missing, empty, or doesn't match any record in the database, the log is left unchanged.
Target Path: The base path under which geo and as sub-objects are merged. For example, a target path of @ecs.source writes results to @ecs.source.geo.* and @ecs.source.as.*. Existing fields under geo and as are preserved (the transformation merges into them rather than overwriting).

To enrich both source and destination IPs, add the transformation twice — once with @ecs.source.ip / @ecs.source and once with @ecs.destination.ip / @ecs.destination.

Output Structure

When a match is found, the transformation merges fields aligned with the Elastic Common Schema under <target_path>.geo and <target_path>.as:

Under <target_path>.geo:

country_iso_code: ISO 3166-1 alpha-2 country code (e.g., "DE")
country_name: Country name (e.g., "Germany")
continent_code: 2-letter continent code (e.g., "EU")
continent_name: Continent name (e.g., "Europe")

Under <target_path>.as:

number: Autonomous System Number as an integer (e.g., 15169)
organization.name: Name of the organization that owns the AS (e.g., "Google LLC")

Empty fields from the underlying dataset are skipped, so events are never polluted with empty strings.

Example

For an enrichment configured with Source Path @ecs.source.ip and Target Path @ecs.source:

// Input log event
{
  "@ecs": {
    "source": {
      "ip": "8.8.8.8"
    }
  }
}

// Output log event (assuming match)
{
  "@ecs": {
    "source": {
      "ip": "8.8.8.8",
      "geo": {
        "country_iso_code": "US",
        "country_name": "United States",
        "continent_code": "NA",
        "continent_name": "North America"
      },
      "as": {
        "number": 15169,
        "organization": {
          "name": "Google LLC"
        }
      }
    }
  }
}

Troubleshooting

Lookup table hasn't appeared yet

The initial sync can take up to 10–15 minutes after you create the integration.
Confirm in Settings → Integrations that the IPinfo integration is connected and that the API token is valid.

Enrichment not appearing in logs

Confirm the Enrich with IPinfo transformation is added to your Index Rule and that the rule applies to the logs you're inspecting.
Verify the Source Path matches your actual log structure (e.g., your logs really do contain @ecs.source.ip). Use the Index Rule preview to inspect a sample event.
Remember that enrichment is best-effort — private/reserved address ranges and IPs not present in the dataset will not produce any output.

Managing Integrations

Note: Deleting an integration will not delete the lookup table. The table will remain available for transformations but will no longer sync with new GeoIP data. This means your GeoIP data will become stale over time. Stale tables can be re-connected to a new integrations of the same type.

PreviousThreat Intelligence NextQuerying & Analysis

Last updated 21 days ago

Was this helpful?