Forum Discussion
Solved
source ip location and filtering based on the geolocation
Hi All, Greetings.. need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the fil...
Good timing - I just answered this type of question on another thread earlier today, maybe
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord=true, format="csv"); CommonSecurityLog | where DeviceVendor == "Fortinet" | where DeviceProduct startswith "Forti" | summarize ipCount=count() by IPAddress=DestinationIP | where isnotempty(IPAddress) | evaluate ipv4_lookup(IP_Data, IPAddress, network) | where country_iso_code in ('RU','UA')You just ned to swap line #8 to SourceIP if you want that instead? You may need to add other 'where' filters but this should be the basics.
Good timing - I just answered this type of question on another thread earlier today, maybe
let IP_Data =
external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code in ('RU','UA')
You just ned to swap line #8 to SourceIP if you want that instead? You may need to add other 'where' filters but this should be the basics.