Forum Discussion
Mapping IPs to autonomous systems number and name
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
let iptofind = "13.64.0.100";externaldata (first_ip:string, end_ip:string, as_num:int, country_code:string, description:string)[@"https://< insert your URL here>"]| project iptofind, first_ip, end_ip, as_num, description| where parse_ipv4(iptofind) between (parse_ipv4(first_ip).. parse_ipv4(end_ip))I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Clive
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Clive