User Guide

Synapse MaxMind adds new Storm commands for retrieving IPv4 and IPv6 location data from the MaxMind GeoIP2 databases.

The GeoIP2 databases are included as part of the Synapse MaxMind distribution, and will be updated in periodic releases.

Getting Started

Check with your Admin to enable permissions.

Examples

Enrich an IPv4 node

Secondary properties are populated with data from the MaxMind database:

> inet:ipv4#my.ipv4 | maxmind
inet:ipv4=129.186.1.100
        .created = 2024/04/21 15:59:53.684
        :asn = 2698
        :latlong = 42.0373,-93.6005
        :loc = us.ia.ames
        :type = unicast
        #my.ipv4

inet:asn nodes are also created if the appropriate data is available:

> inet:ipv4#my.ipv4 | maxmind --yield
inet:asn=2698
        .created = 2024/04/21 15:59:53.785
        :name = iastate-as

Use of meta:source nodes

Synapse-MaxMind uses a meta:source node and -(seen)> light weight edges to track nodes observed from the MaxMind API.

> meta:source=cf52a2ea5eed1dff4deb47e9055a90c8
meta:source=cf52a2ea5eed1dff4deb47e9055a90c8
        .created = 2024/04/21 15:59:53.762
        :name = data from maxmind
        :type = maxmind

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MaxMind. The following example shows how to filter the results of a query to include only results observed by Synapse-MaxMind:

> inet:asn:name^=iastate +{ <(seen)- meta:source=cf52a2ea5eed1dff4deb47e9055a90c8 }
inet:asn=2698
        .created = 2024/04/21 15:59:53.785
        :name = iastate-as