Query Details
External GE Ofor Security Events
Query
//Get you geolocation for your SecurityEvents, using a publicly available IP geolocation file let geoData = externaldata (network:string,geoname_id:string,continent_code:string,continent_name:string, country_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string) [@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv"); SecurityEvent | evaluate ipv4_lookup (geoData, IpAddress, network, false)
Explanation
This query retrieves geolocation data for SecurityEvents by using a publicly available IP geolocation file. It first imports the geolocation data from a CSV file hosted on GitHub. Then, it uses the ipv4_lookup function to match the IP addresses in the SecurityEvent data with the corresponding geolocation information from the imported file.
Details
Rod Trent
Released: December 1, 2020
Tables
SecurityEvent
Keywords
SecurityEvents,IpAddress
Operators
evaluateipv4_lookup