Forum Discussion
jwalasingh
Mar 09, 2022Copper Contributor
source ip location and filtering based on the geolocation
Hi All, Greetings.. need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the fil...
- Mar 09, 2022
Good timing - I just answered this type of question on another thread earlier today, maybe
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord=true, format="csv"); CommonSecurityLog | where DeviceVendor == "Fortinet" | where DeviceProduct startswith "Forti" | summarize ipCount=count() by IPAddress=DestinationIP | where isnotempty(IPAddress) | evaluate ipv4_lookup(IP_Data, IPAddress, network) | where country_iso_code in ('RU','UA')
You just ned to swap line #8 to SourceIP if you want that instead? You may need to add other 'where' filters but this should be the basics.
Dutchboy
Copper Contributor
Hello Clive, while running the query the values such as network , iso code are note being recognised by the editor. any idea to as why ?
Clive_Watson
Dec 05, 2022Bronze Contributor
I'm assuming the IP_data can be retrieved?
let IP_Data =
external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
IP_Data
The rest of the query assumes you have a Forti log source, you could look to see if you have any others in the CommonSecurityLog table (it won't work if you have no Firewalls sending data or if the Firewall uses other columns). This would look for any Product in the CEF Table:
let IP_Data =
external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
// | where DeviceVendor == "Fortinet"
// | where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP, DeviceProduct
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code in ('RU','UA')
You could also test against a source like SigninLogs if you have AAD?
let IP_Data =
external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
SigninLogs
| summarize ipCount=count() by IPAddress
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
- DutchboyDec 05, 2022Copper Contributor
- Clive_WatsonDec 05, 2022Bronze ContributorWhat is the error, can you show that?
Does it work for you in the Microsoft demo Logs? https://portal.azure.com#@4bd2cd73-7c32-48aa-8a02-646c8bc0d343/blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade/aiDemo/true/resourceId/%2FDemo/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAA1WRQUvEMBCF7%252Fsrwl62hboF8VTpQRRB8CB6FAnZduyGbTJlZtJuxR9vUnZdzS3fe5m8x%252FQg6ulFPxgxqlYrFQ8cBcibXrcRZh5kQjpULGR9V3SA3jjQtq16jPcGvVgPXnSDLZxdF5rMJ6oiDl5o1pbxnz39etb%252BPCgsa%252BPRzw4D64HwOFc7xD5xNgJ9bwUSH20LtEj50uB9sxcZuCpLMtO2s7IPu8BAKVYMtW3Qlakcg3AZG9nh%252BsoO403pDMfui%252FaXbxseNx%252FL6CkOU5ntPBI8WmJ5hQaprYUCFOoTyRmp19G%252Fzm9Xb9Fn%252FTN2vPpWHJwzZL9A2eE%252Bla2XylmudnNcwV3bEjArFa3THija2KOAG2TOfuU8qjCaPsT6KkXTPeIhDNlph8VlUqFOq8t%252FAASp3erkAQAA/timespan/P1D
- DutchboyDec 05, 2022Copper ContributorIP_Data is retrievable. But as i understand , dont see "ipv4_lookup" under the evaluate query value.
- Clive_WatsonDec 05, 2022Bronze Contributor"network" and "ip_data" both come from the external data source - so if you still have an error (whatever that error is) it is probably the IPAddress column.
What do you mean by: 'dont see "ipv4_lookup"' - is the error message returned - "no data found" or something else?