KQL question

AzureActivity | summarize LastActivity = max(TimeGenerated) by ResourceProvider, ResourceGroup | join kind = innerunique( AzureActivity | summarize Operations = count() by ResourceGroup, ResourceProv...

azure monitor

KQL

CliveWatson

Former Employee

Nov 09, 2021

SocInABox

I just realised the original query was before we had ipv4_lookup(), so does this change improve things (its less code at least)?

let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'];
let IPs = 
    CommonSecurityLog
    |where DeviceVendor == "Fortinet"
    //filter out private networks
    |where not(ipv4_is_private(SourceIP)) and not(ipv4_is_private(DestinationIP))
    |summarize by SourceIP
;
IPs
| evaluate ipv4_lookup(IP_Data, SourceIP, network, return_unmatched = true)

SocInABox

Iron Contributor

Nov 09, 2021

That works, thanks! I'll just have to add a filter for loopbacks, bogons, etc.

Forum Discussion

KQL question

Resources