https://community.splunk.com/t5/Splunk-User-Behavior-Analytics/Adding-IP-database-to-UBA/m-p/591638#M47 <P>Mapping IP addresses to geolocation can enhance your detection models with risk calculations. In UBA, this functionality is achieved using the MaxMind database.</P><P>UBA ships with a pre-packaged version of the GeoLite2 Free database. You can choose to download the latest version of that database and run that version instead of the pre-packaged version.</P><P>Perform the following steps to download the latest version of the database and run that version in UBA:</P><BLOCKQUOTE><P>If you update UBA, the downloaded, local version of the GeoLite2 Free database takes precedence over the pre-packaged version that ships with UBA. To use the pre-packaged version of the database you must remove the downloaded, local version.</P></BLOCKQUOTE><P>1. Go to <A href="https://dev.maxmind.com/geoip/geoip2/geolite2/#Databases " target="_blank" rel="noopener">https://dev.maxmind.com/geoip/geoip2/geolite2/#Databases </A></P><P>2. Download GeoLite2-City.mmdb.gz and unzip and copy GeoLite2-City.mmdb to the Management Node (node1) as follows:</P><LI-CODE lang="markup">/etc/caspida/local/conf/etl/geo-db/maxmind</LI-CODE><P>3. Sync cluster:</P><LI-CODE lang="markup">/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/etl/geo-db/</LI-CODE><P>4. Restart caspida:</P><LI-CODE lang="markup">/opt/caspida/bin/Caspida stop-all</LI-CODE><LI-CODE lang="markup">/opt/caspida/bin/Caspida start-all</LI-CODE><P>To learn more about IP address geolocation settings in UBA, see <A href="https://docs.splunk.com/Documentation/UBA/latest/Install/Configure#Set_internal_IP_range_and_associated_office_locations" target="_blank" rel="noopener">Set internal IP range and associated office locations</A>&nbsp; in the <EM>Install and Upgrade UBA manual</EM>.</P> Wed, 30 Mar 2022 23:24:55 GMT elauder_splunk 2022-03-30T23:24:55Z https://community.splunk.com/t5/Splunk-User-Behavior-Analytics/Adding-IP-database-to-UBA/m-p/591635#M46 <P>How to manually download the IP database and add it to Splunk User Behavior Analytics (UBA)?</P> Wed, 30 Mar 2022 23:16:00 GMT https://community.splunk.com/t5/Splunk-User-Behavior-Analytics/Adding-IP-database-to-UBA/m-p/591635#M46 elauder_splunk 2022-03-30T23:16:00Z https://community.splunk.com/t5/Splunk-User-Behavior-Analytics/Adding-IP-database-to-UBA/m-p/591638#M47 <P>Mapping IP addresses to geolocation can enhance your detection models with risk calculations. In UBA, this functionality is achieved using the MaxMind database.</P><P>UBA ships with a pre-packaged version of the GeoLite2 Free database. You can choose to download the latest version of that database and run that version instead of the pre-packaged version.</P><P>Perform the following steps to download the latest version of the database and run that version in UBA:</P><BLOCKQUOTE><P>If you update UBA, the downloaded, local version of the GeoLite2 Free database takes precedence over the pre-packaged version that ships with UBA. To use the pre-packaged version of the database you must remove the downloaded, local version.</P></BLOCKQUOTE><P>1. Go to <A href="https://dev.maxmind.com/geoip/geoip2/geolite2/#Databases " target="_blank" rel="noopener">https://dev.maxmind.com/geoip/geoip2/geolite2/#Databases </A></P><P>2. Download GeoLite2-City.mmdb.gz and unzip and copy GeoLite2-City.mmdb to the Management Node (node1) as follows:</P><LI-CODE lang="markup">/etc/caspida/local/conf/etl/geo-db/maxmind</LI-CODE><P>3. Sync cluster:</P><LI-CODE lang="markup">/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/etl/geo-db/</LI-CODE><P>4. Restart caspida:</P><LI-CODE lang="markup">/opt/caspida/bin/Caspida stop-all</LI-CODE><LI-CODE lang="markup">/opt/caspida/bin/Caspida start-all</LI-CODE><P>To learn more about IP address geolocation settings in UBA, see <A href="https://docs.splunk.com/Documentation/UBA/latest/Install/Configure#Set_internal_IP_range_and_associated_office_locations" target="_blank" rel="noopener">Set internal IP range and associated office locations</A>&nbsp; in the <EM>Install and Upgrade UBA manual</EM>.</P> Wed, 30 Mar 2022 23:24:55 GMT https://community.splunk.com/t5/Splunk-User-Behavior-Analytics/Adding-IP-database-to-UBA/m-p/591638#M47 elauder_splunk 2022-03-30T23:24:55Z