Forum Discussion

akshay250692's avatar
akshay250692
Brass Contributor
Aug 24, 2022

KQL query not showing sourec country info

Hi Team,

 

I created one query from commonsecurity table it showing destination country info but not source country. Please help me to find out source country info also. source country column getting empty but destnation column getting info like ip and country name

 

CommonSecurityLog
| where DeviceProduct has 'PAN-OS' and DeviceVendor =~ 'Palo Alto Networks' and Activity =~ 'THREAT'
| where TimeGenerated >= ago(1d)
| extend IsLateral = iif(((ipv4_is_private(SourceIP) == true) and (ipv4_is_private(DestinationIP)== true)) , 'true', 'false')
    | where IsLateral == 'false'
    | extend IsOutbound = iif(((ipv4_is_private(SourceIP) == true) and (ipv4_is_private(DestinationIP) == false)) , 'true', 'false'),
             IsInbound = iif(ipv4_is_private(SourceIP) == false, 'true', 'false')
    | extend TrafficDirection = iif((IsOutbound == 'true'), "Outbound", "Inbound")
| extend Simplified_Firewall_Action = iif((DeviceAction in ("allow", "alert", "block-continue", "continue")), 'Allowed', 'Blocked')
| parse  kind=regex flags=U AdditionalExtensions with * "DstLocation=" DestinationCountry ';' * "SrcLocation=" SourceCountry
| summarize count() by DeviceEventClassID, LogSeverity, Detailed_Firewall_Action = DeviceAction, Simplified_Firewall_Action, TrafficDirection, SourceCountry, DestinationCountry
| project Date = now(-1d), Subtype = DeviceEventClassID, Severity = LogSeverity, Detailed_Firewall_Action, Simplified_Firewall_Action, TrafficDirection, SourceCountry, DestinationCountry, Count=count_

  • Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.

    By the way you could have used ASIM for this (simple example):

    _Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
    // or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
    | where Activity =~"Threat"
    | distinct DstGeoCountry, SrcGeoCountry

    note: GeoCountry are optional in the schema
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.

    By the way you could have used ASIM for this (simple example):

    _Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
    // or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
    | where Activity =~"Threat"
    | distinct DstGeoCountry, SrcGeoCountry

    note: GeoCountry are optional in the schema
    • akshay250692's avatar
      akshay250692
      Brass Contributor
      | parse kind=regex flags=U AdditionalExtensions with * "DstLocation=" DestinationCountry ';' * "SrcLocation=" SourceCountry : string
      this is correct line.

Resources