Home

Geolocation and related visualisations (world map)

%3CLINGO-SUB%20id%3D%22lingo-sub-388926%22%20slang%3D%22en-US%22%3EGeolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388926%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20options%20to%20extract%20geolocation%20information%20from%20the%20various%20tables%20that%20contain%20IP%20addresses%3F%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20about%20the%20related%20visualizations%20like%20the%20world%20map%20of%20%22Potential%20malicious%20events%22%20that%20is%20shown%20on%20the%20Sentinel's%20homepage%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389107%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389107%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20quick%20update%2C%20sending%20the%20logs%20with%26nbsp%3B%3CSPAN%3ERemoteIP%26nbsp%3Bpopulated%20has%20no%20effect%20on%20the%26nbsp%3BRemoteIP%26nbsp%3Bfield%20in%20the%26nbsp%3BCommonSecurityLog%20(that%20remains%20empty).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389048%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389048%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Clive%20for%20the%20prompt%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%26nbsp%3BW3CIISLog%20table%20appear%20to%20have%20those%20field%20populated%20by%20Sentinel%20at%20index%20time.%20Tables%20such%20as%20CommonSecurityLog%20don't%20have%20these%20fields%20even%20if%20source%20and%20destination%20IPs%20are%20present%20(with%20various%20names%2C%20depending%20on%20the%20device%20sending%20the%20logs).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20for%20a%20Palo%20Alto%20firewall%2C%20with%20the%20logs%20sent%20in%20CEF%20format%20one%20gets%20DestinationIP%20and%20SourceIP%20but%20the%20RemoteIP%20field%20doesn't%20get%20populated%20(and%20no%20RemoteIPCountry%2C%20etc...).%20I%20could%2C%20in%20principle%2C%20adjust%20the%20log%20format%20to%20send%20RemoteIP%20populated%20with%20the%20DestinationIP%20value%20-%20I'm%20not%20sure%20if%20that%20will%20trigger%20the%20creation%20of%20the%20corresponding%20RemoteIPCountry%20and%20geo%20information.%20I%20will%20test%20this%2C%20just%20to%20see%20if%20it%20makes%20any%20difference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20Syslog%20table%2C%20where%20we%20may%20need%20to%20extract%20the%20source%20and%20destination%20IPs%20from%20a%20generic%20field%20(such%20as%20Message)%2C%20we%20would%20need%20a%20way%20to%20create%20the%20geolocation%20fields%20from%20those%20IPs%20at%20search%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20issue%20is%20that%20I%20don't%20see%20any%20option%20of%20rendering%20the%20results%20that%20contain%20this%20information%20as%20a%20map%20chart.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389028%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389028%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20click%20on%20that%20map%20you%20get%20taken%20to%20the%20logs%20and%20the%20query%20used%3Byou%20have%20data%20like%20%3CSTRONG%3ERemoteIPCountry%3C%2FSTRONG%3E%20and%20the%20longitude%20and%20latitude%20displayed%20there.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20other%20query%20example%20might%20be%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EW3CIISLog%0A%7C%20where%20isnotempty(MaliciousIP)%0A%7C%20summarize%20count()%20by%20RemoteIPCountry%2C%20RemoteIPLatitude%2C%20RemoteIPLongitude%3C%2FPRE%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EW3CIISLog%0A%7C%20where%20isnotempty(MaliciousIP)%0A%7C%20summarize%20count()%20by%20RemoteIPCountry%2C%20%20IndicatorThreatType%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20434px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100190i05CE8396DAC57262%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-03-26%20193908.jpg%22%20title%3D%22Annotation%202019-03-26%20193908.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
agrigorof
Occasional Contributor

Are there any options to extract geolocation information from the various tables that contain IP addresses? 

How about the related visualizations like the world map of "Potential malicious events" that is shown on the Sentinel's homepage? 

3 Replies

If you click on that map you get taken to the logs and the query used;you have data like RemoteIPCountry and the longitude and latitude displayed there.  

 

One other query example might be 

 

W3CIISLog
| where isnotempty(MaliciousIP)
| summarize count() by RemoteIPCountry, RemoteIPLatitude, RemoteIPLongitude

or

 

W3CIISLog
| where isnotempty(MaliciousIP)
| summarize count() by RemoteIPCountry,  IndicatorThreatType

Annotation 2019-03-26 193908.jpg

 

 

@Clive Watson 

Thanks, Clive for the prompt reply.

 

The W3CIISLog table appear to have those field populated by Sentinel at index time. Tables such as CommonSecurityLog don't have these fields even if source and destination IPs are present (with various names, depending on the device sending the logs).

 

For example, for a Palo Alto firewall, with the logs sent in CEF format one gets DestinationIP and SourceIP but the RemoteIP field doesn't get populated (and no RemoteIPCountry, etc...). I could, in principle, adjust the log format to send RemoteIP populated with the DestinationIP value - I'm not sure if that will trigger the creation of the corresponding RemoteIPCountry and geo information. I will test this, just to see if it makes any difference.

 

For Syslog table, where we may need to extract the source and destination IPs from a generic field (such as Message), we would need a way to create the geolocation fields from those IPs at search time.

 

Another issue is that I don't see any option of rendering the results that contain this information as a map chart.

As a quick update, sending the logs with RemoteIP populated has no effect on the RemoteIP field in the CommonSecurityLog (that remains empty). 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies