Group session source by GeoIP country

I would like to chart sessions - in my specific case, SSL sessions which negotiate TLSv1 - by the country of origin. Drilling down in server activity by client IP, ExtraHop provides the GeoMap “View on Map” function, which is fantastic eye candy, but not practical to present in a dashboard. Can anyone suggest a way to use the inbuilt GeoIP database to chart session source by country?

The Trigger API provides access to the GeoIP database and enables you to retrieve the approximate country-level or city-level location of a specific IP address. In this example, I’m printing the server IP address and its GeoIP-located country name for each SSL_OPEN event:

// Events: SSL_OPEN
var ip = Flow.server.ipaddr;
if (!ip.isRFC1918) {
    debug(ip + " : " + GeoIP.getCountry(ip).countryName);
}

Some example output:

54.229.15.211 : Ireland
204.2.197.211 : United States
103.20.94.8 : Singapore
151.101.1.140 : United States
52.129.66.13 : United States
52.66.151.216 : India
54.231.121.58 : United States

You could write a similar trigger to identify TLSv1 traffic and commit the client IP and/or the country of origin to a custom metric using metricAddCount or metricAddDetailCount methods.

We’re currently using the trigger API to retrive country information for other session data The shortcoming is when left-field questions are asked about existing data. To answer questions like “where are these sessions originating?” with a trigger we need to compose the trigger, and then wait for resulting data to accumulate.

Being able to chart sessions grouped by GeoIP country would allow ad-hoc analysis on historical data.