Forum Discussion
Country names in maps
endakelly It sounds like you know which country codes are causing the issues and what they should be. You could do a mapping in your KQL to fix just those issues if there are not that many using a case statement like:
extend MaliciousCountry = case(MaliciousIPCountry == "PRC, "PR", MaliciousIPCountry == "Korea, "KR", MaliciousIPCountry)
This will do the translation for those countries that need it or else just return the country code if no translation is needed.
(I have no clue what the real country codes should be but hopefully this gets the point across)
Hi endakelly
A couple of options
https://techcommunity.microsoft.com/t5/azure-log-analytics/log-analytics-look-up-external-source-of-data/m-p/101198 see my reply here on how to use a country code (I used an external source) but if you have a local Table then you can use that in a Join?
You can also try to reduce the Map data - Top 10 seems to reduce "other" from appearing, I suspect its linked to a line wrap for the legend (assuming you are ok with seeing just the top 10). With my data I see "other" if I use Top 11 onwards...
externaldata(Name:string, Code:string) [@"https://datahub.io/core/country-list/r/data.csv"]
| join kind= inner (
CommonSecurityLog
| where isnotempty(MaliciousIP)
| summarize count() by MaliciousIPCountry
) on $left.Name == $right.MaliciousIPCountry
| project Code, count_, MaliciousIPCountry
| top 10 by count_
I then mapped the Country Code to the location