Can one use the value from an ip-asn lookup as part of the key for a suppression rule? I’d like to report logins that originate from new AS’s, but only once. Possible?
Looks like the ASN is not currently in the IP Geo from Maxmind (which we use): IP Geolocation
Do you know of a free/open database that does it? We might be able to implement it pretty easily.
After that, yes it’s possible like:
detect:
event: USER_LOGIN
op: lookup
path: event/SOURCE_IP
resource: lcr://api/ip-asn
respond:
- action: report
name: first-login-from-asn
suppression:
max_count: 1
period: 720h
is_global: true
keys:
- 'first-asn'
- '{{ .event.USER_NAME }}'
- '{{ .mtd.lcr___api_ip_asn.autonomous_system_number }}'
Actually, looks like Maxmind publishes an ASN database. WIll take a look this afternoon to see if we can add support for it.
1 Like
Double correction, we already support it!
Adding the doc for it right now: docs: Fix ASN example and add ip-asn integration page by maximelb · Pull Request #122 · refractionPOINT/documentation · GitHub
1 Like