Query Details
External Access
Query
//This is an example line of KQL query for external data retrieval. //This example queries IP-API with an IP address and returns country, region, regionName, and city. //This is a way to do this while developing a KQL query in the Logs blade. //You can also do this (IP-API query) with a Playbook to add additional context to an Incident in the comments //See: https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentinel-incident/ externaldata(status:string, country:string, region:string, regionName:string, city:string)[@"http://ip-api.com/json/174.98.173.42"] with(format="json")
Explanation
This KQL query retrieves external data from IP-API using an IP address (174.98.173.42) and returns the country, region, region name, and city associated with that IP address. It can be used in Azure Sentinel to add geographical data to an incident.
Details
Rod Trent
Released: September 25, 2020
Tables
No table name is mentioned in the given KQL query.
Keywords
IP-API,country,region,regionName,city
Operators
externaldatawithformat