Forum Discussion

jwalasingh's avatar
jwalasingh
Copper Contributor
Mar 09, 2022
Solved

source ip location and filtering based on the geolocation

Hi All, Greetings..   need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the fil...
analytics
  • Clive_Watson's avatar
    Clive_Watson
    Mar 09, 2022

    jwalasingh 

     

    Good timing - I just answered this type of question on another thread earlier today, maybe

    let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP    
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code  in ('RU','UA')

     

    You just ned to swap line #8 to SourceIP if you want that instead?   You may need to add other 'where' filters but this should be the basics.

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 09, 2022

jwalasingh 

 

Good timing - I just answered this type of question on another thread earlier today, maybe

let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP    
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code  in ('RU','UA')

 

You just ned to swap line #8 to SourceIP if you want that instead?   You may need to add other 'where' filters but this should be the basics.

Jonhed's avatar
Jonhed
Iron Contributor
Mar 09, 2022
This is the first time I saw this ipv4_lookup plugin, it looks great.
Is this something that was added recently?
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Mar 09, 2022
    In the past 12-6months maybe - not sure 😉

    • 514039847qqcom's avatar
      514039847qqcom
      Copper Contributor
      Nov 17, 2022
      hello, friend,I lost my laptop,I only have Mac address, can I get the criminal internet ip location?
      • 514039847qqcom's avatar
        514039847qqcom
        Copper Contributor
        Nov 17, 2022
        I can use microsoft count search the laptop location, but it is not very, accurate, arround 200m difference, criminal use it connect with wifi, Can I get his IP?

Resources