IP_ADDRESS entity metadata (AS / ASN)

Forum|Forum|11 months ago
April 9, 2025
2 replies
40 views

+9

chrisd2
Bronze 5

Hello guys,

I'm trying to use the AS a given public IP is part of in the detection logic of a rule.
I can see the metadata in the "Overview" results of the UDM search for a public IP (see entity.artifact.network.asn) :

Issue :

In my rule I'm trying to use the entity graph to enrich the results (cannot use auto-enriched fields because the IP lays in network.dns.answers.data, would've been too easy 😅) but it seems that I cannot access the same data than what I see in the "Overview" pane. From rule results, the only entity data I have for the same IP is from DERIVED_CONTEXT and does not contains the AS metadata :

What am I missing ? How can I retrieve the AS from a rule in order to use it in the filtering logic or outcome section ?

+12

kentphelps
Staff
Forum|Forum|11 months ago
April 10, 2025

Let me know if these other Community entries help out at all:
https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Issue-with-YARA-L/m-p/841157
https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-UDM-Searches-in-Dashboards/ba-p/863916

Like

+9

chrisd2
Author
Bronze 5
Forum|Forum|11 months ago
April 10, 2025

Let me know if these other Community entries help out at all:
https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Issue-with-YARA-L/m-p/841157
https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-UDM-Searches-in-Dashboards/ba-p/863916

Hello @kentphelps ,

Thanks for you answer !

Unfortunately, I can't apply what is described in those resources. Indeed they make use of auto-enriched fields linked to principal.ip & target.ip, but in my use case the IP address is stored in network.dns.answers.data and this UDM field is not automatically enriched 😞

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded