Forum Discussion

jwalasingh's avatar
jwalasingh
Copper Contributor
Mar 09, 2022

source ip location and filtering based on the geolocation

Hi All,

Greetings..

 

need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the filtering based on geolocation? how can i achieve this

 

Thanks in advance for your support.

 

  • jwalasingh 

     

    Good timing - I just answered this type of question on another thread earlier today, maybe

    let IP_Data = 
        external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
        ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
        with (ignoreFirstRecord=true, format="csv");
    CommonSecurityLog
    | where DeviceVendor == "Fortinet"
    | where DeviceProduct startswith "Forti"
    | summarize ipCount=count() by IPAddress=DestinationIP    
    | where isnotempty(IPAddress)
    | evaluate ipv4_lookup(IP_Data, IPAddress, network)
    | where country_iso_code  in ('RU','UA')

     

    You just ned to swap line #8 to SourceIP if you want that instead?   You may need to add other 'where' filters but this should be the basics.

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    jwalasingh 

     

    Good timing - I just answered this type of question on another thread earlier today, maybe

    let IP_Data = 
        external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
        ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
        with (ignoreFirstRecord=true, format="csv");
    CommonSecurityLog
    | where DeviceVendor == "Fortinet"
    | where DeviceProduct startswith "Forti"
    | summarize ipCount=count() by IPAddress=DestinationIP    
    | where isnotempty(IPAddress)
    | evaluate ipv4_lookup(IP_Data, IPAddress, network)
    | where country_iso_code  in ('RU','UA')

     

    You just ned to swap line #8 to SourceIP if you want that instead?   You may need to add other 'where' filters but this should be the basics.

    • Dutchboy's avatar
      Dutchboy
      Copper Contributor
      Hello Clive, while running the query the values such as network , iso code are note being recognised by the editor. any idea to as why ?
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor

        Dutchboy 

         

        I'm assuming the IP_data can be retrieved?

        let IP_Data = 
            external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
            ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
            with (ignoreFirstRecord=true, format="csv");
        IP_Data

        The rest of the query assumes you have a Forti log source, you could look to see if you have any others in the CommonSecurityLog table (it won't work if you have no Firewalls sending data or if the Firewall uses other columns).  This would look for any Product in the CEF Table:

        let IP_Data = 
            external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
            ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
            with (ignoreFirstRecord=true, format="csv");
        CommonSecurityLog
        // | where DeviceVendor == "Fortinet"
        // | where DeviceProduct startswith "Forti"
        | summarize ipCount=count() by IPAddress=DestinationIP, DeviceProduct    
        | where isnotempty(IPAddress)
        | evaluate ipv4_lookup(IP_Data, IPAddress, network)
        | where country_iso_code  in ('RU','UA')
           

         
        You could also test against a source like SigninLogs if you have AAD?

        let IP_Data = 
            external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
            ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
            with (ignoreFirstRecord=true, format="csv");
        SigninLogs
        | summarize ipCount=count() by IPAddress  
        | where isnotempty(IPAddress)
        | evaluate ipv4_lookup(IP_Data, IPAddress, network)



    • Jonhed's avatar
      Jonhed
      Steel Contributor
      This is the first time I saw this ipv4_lookup plugin, it looks great.
      Is this something that was added recently?

Resources