Forum Discussion
akshay250692
Aug 24, 2022Brass Contributor
KQL query not showing sourec country info
Hi Team, I created one query from commonsecurity table it showing destination country info but not source country. Please help me to find out source country info also. source country column getti...
- Aug 25, 2022Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.
By the way you could have used ASIM for this (simple example):
_Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
// or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
| where Activity =~"Threat"
| distinct DstGeoCountry, SrcGeoCountry
note: GeoCountry are optional in the schema
Clive_Watson
Aug 25, 2022Bronze Contributor
Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.
By the way you could have used ASIM for this (simple example):
_Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
// or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
| where Activity =~"Threat"
| distinct DstGeoCountry, SrcGeoCountry
note: GeoCountry are optional in the schema
By the way you could have used ASIM for this (simple example):
_Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
// or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
| where Activity =~"Threat"
| distinct DstGeoCountry, SrcGeoCountry
note: GeoCountry are optional in the schema
- akshay250692Aug 30, 2022Brass Contributor| parse kind=regex flags=U AdditionalExtensions with * "DstLocation=" DestinationCountry ';' * "SrcLocation=" SourceCountry : string
this is correct line.