Forum Discussion

philip-patrick's avatar
philip-patrick
Copper Contributor
Jan 08, 2019

Geolocation query from IP address

Hi, Any idea if that's possible (and if yes - how) to add resolving of IP address to geolocation and any other IP information in a query in Log Analytics? For example, part of the message body I hav...
azure monitor
Query Language
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 10, 2022

SocInABox

There are many other sources you can use, and typically you need to pay for the data. If my lookup is within a workbook I'd also use the Microsoft geoLocation api, but again I'm not sure it and any source is 100%

An example of this api in use is in the Sentinel Github: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/AWSS3.json.  In the Guardduty and VPCFlow reports when you click on an IP it uses the api.



Taking your first example the Microsoft api, VirtusTotal and Talos as examples think its Russia : 92.38.0.0
Reputation Lookup || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence


There is a VirusTotal Playbook in the Sentinel Library so you can use that as a starter for IP enrichment.

------------

I also wrote this Workbook to compare an IP against two of the services  KQLpublic/KQL/Workbooks/geoLocation at master · CliveWatsonQC/KQLpublic (github.com)
You enter IP Address in the top parameter list, then you can see it from the MSFT api or GeoIP2 - you can probably see how you could extend this to use more services.

 



povlhp's avatar
povlhp
Copper Contributor
Mar 11, 2022
We really need Microsoft to provide us with this.
They have the defender in Azure - We can see city/country for all logons in AzureAD, the same in the Cloud Security.
Thus Microsoft do have the lookup data available and are actively using it to enrich their own log entries. They just need to provide the same info to use. But maybe they are not licensed to do that. or they would rather we all pay for something else running in their cloud.
Making it easier to call-out to webhooks / WebAPIs would help us, it is trivial to install the MaxMind GeoIP2 and expose it thru the web.