External GE Ofor Security Events
Query
//Get you geolocation for your SecurityEvents, using a publicly available IP geolocation file
let geoData = externaldata
(network:string,geoname_id:string,continent_code:string,continent_name:string,
country_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)
[@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv");
SecurityEvent
| evaluate ipv4_lookup (geoData, IpAddress, network, false)Explanation
This query retrieves geolocation data for SecurityEvents by using a publicly available IP geolocation file. It first imports the geolocation data from a CSV file hosted on GitHub. Then, it uses the ipv4_lookup function to match the IP addresses in the SecurityEvent data with the corresponding geolocation information from the imported file.
Details

Rod Trent
Released: December 1, 2020
Tables
SecurityEvent
Keywords
SecurityEventsIpAddress
Operators
evaluateipv4_lookup