A picture is worth a thousand words. This is even more true for visualising security events.
Sometimes you don’t want to go through the entire chain of processing events and mapping them on a world map.
I found an easy way to map -static- IP based data on a map.
Once you have signed up to an account you can create your own maps.
For this example I want to draw the IPs from a blocklist provided by Emerging Threats.
Build a map
When you’ve signed in to CartoDB you have to add a datasource. For this exercise I used the emerging-Block-IPs.txt. The first lines of the block list contain comments. I suggest you remove these comments in your editor. This allows you to have a clear view on the imported data.
Importing a data source is easy. Do this via Maps -> Your Datasets and then click New Dataset. Scroll down to select a file. Select the downloaded Emerging Threats Block list. Once selected, choose Connect Dataset and have ‘Let CartoDB automatically guess data types and content on import’ enabled. Then use Connect Dataset. During the upload you’ll notice that CartoDB is busy mapping the IPs to their geo-location.
Once the file is uploaded you’ll get an overview of the first rows of data. Now switch to the column that contains the IP data and change its label to something meaningful. By default it contains the first row data but in this case you’d probably want it to be called IP.
Once that is done, click on the button Visualize (upper right corner) and choose to create a map. Then choose the Map View button to get a map view of the IPs found in the block list.
If you click a dot in the map you’ll probably get a message that there are no fields selected. In order to solve this click Select Fields and enable Title. Once this is done you’ll get shown the IP corresponding to the different dots on the map when you hoover / click on them.
The CartoDB web service provides an easy way to visualize the sources of events on a world map. It might not provide all the details (drill down) that you have available via for example Kibana but it’s an excellent addition to your investigation arsenal for getting quick results.
As an example, this is the map based Emerging Threats Block-DB from 2-Aug-2015.