It is important to ensure the MaxMind database behind Splunk’s iplocation command is as up to date as possible. Long ago I made a skeleton app to download the database in place and take advantage of a Splunk configuration option to point at it.
MaxMind changed how you can download the free databases in 2019. It is detailed in their Blog Post. I have updated the TA located in my GitRepo to hold and use a downloaded updated database.
Here are the things you need to do when using this TA to use an updated DB in your environment.
1. You also cannot auto download without a paid license key. Regardless of how you obtain the mmdb file you need to update it on ALL search heads and indexers to ensure the iplocation has updated information as you can obtain.
2. You will need to follow their instructions for setting up an account and download it to a central location. If you mass download it from a large number of servers you could get blocked for appearing to be a DDoS against Maxmind.
3. Use your organization’s configuration automation tools to distribute it to ALL the Search Heads and Indexers and place the file into TA-geoip/bin/GeoLite2-City.mmdb
4. If you deploy this configuration container app and do not place the mmdb in bin Splunk will simply default to the installation’s default copy. This will most likey be very out of data geo information.
It is important you are updating the database especially if you are using things like Country or Improbable Travel criteria for generating Splunk Enterprise Security Notable Events.
Today I spent a bit playing with Yahoo’s new Fire Eagle location service. It has some pretty decent privacy controls and it is taking off fast as a junction point for location aware applications. If you sign up for Fire Eagle you can get an automatic invite to Bright Kite which has good sms and email mechanisms for updating your location. It also has decent privacy controls. Such as only close friends see your exact location and everyone else gets the city.
So I tied them together and then tied Brightkite to my twitter location. While I was doing this I was surprised to see how many of my twitter followers have their exact longitude and latitude coordinates updating from their iPhone. I would wager a lot of them did not give a real thought to the privacy concerns. Or that it tells a lot of people when you are definitely not home. Worse, imagine your kids with iPhones and twitter. Raises cyber bullying to a whole new level if the bully can go straight to where they really are.
I would recommend disabling location updates and wipe the current location. Or use something like Fire Eagle/Brightkite to mask your location to a city level where it has value to you.