Query Details
GEOIP Location
Query
//IP Geo Location, the following will get you geolocation for your SecurityEvents, using a publicly available IP geolocation file: let geoData = externaldata (network:string,geoname_id:string,continent_code:string,continent_name:string, country_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string) [@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv"); SecurityEvent | evaluate ipv4_lookup (geoData, IpAddress, network, false)
Explanation
This query uses a publicly available IP geolocation file to get the geolocation information for SecurityEvents. It retrieves data from the file and then uses the "ipv4_lookup" function to match the IP addresses in the SecurityEvents with the corresponding geolocation information.
Details
Rod Trent
Released: March 3, 2021
Tables
geoData
Keywords
IPGeoLocation,SecurityEvents,geolocation,IPgeolocationfile
Operators
evaluateipv4_lookup