Forum Discussion
KQL question
AzureActivity | summarize LastActivity = max(TimeGenerated) by ResourceProvider, ResourceGroup | join kind = innerunique( AzureActivity | summarize Operations = count() by ResourceGroup, ResourceProv...
Are you bringing in TI feeds? https://docs.microsoft.com/en-us/azure/sentinel/whats-new#enriched-threat-intelligence-with-geolocation-and-whois-data-public-preview These are now enriched with geo location and whois.
Below this there is a REST api https://docs.microsoft.com/en-us/azure/sentinel/geolocation-data-api
Below this there is a REST api https://docs.microsoft.com/en-us/azure/sentinel/geolocation-data-api
That's a GREAT point, thanks Clive!!!!
- Super thanks again.
This Workbook I quickly created will demo the REST api, provide the geo details and map it for you
Source: KQLpublic/geoLocation.workbook at master · clivewatson/KQLpublic (github.com)
Demo