Forum Discussion
Geolocation and related visualisations (world map)
Thanks, Clive for the prompt reply.
The W3CIISLog table appear to have those field populated by Sentinel at index time. Tables such as CommonSecurityLog don't have these fields even if source and destination IPs are present (with various names, depending on the device sending the logs).
For example, for a Palo Alto firewall, with the logs sent in CEF format one gets DestinationIP and SourceIP but the RemoteIP field doesn't get populated (and no RemoteIPCountry, etc...). I could, in principle, adjust the log format to send RemoteIP populated with the DestinationIP value - I'm not sure if that will trigger the creation of the corresponding RemoteIPCountry and geo information. I will test this, just to see if it makes any difference.
For Syslog table, where we may need to extract the source and destination IPs from a generic field (such as Message), we would need a way to create the geolocation fields from those IPs at search time.
Another issue is that I don't see any option of rendering the results that contain this information as a map chart.
As a quick update, sending the logs with RemoteIP populated has no effect on the RemoteIP field in the CommonSecurityLog (that remains empty).