Forum Discussion
KQL question
Would this work, it maps your IP from AzureActivity to the data from the CSV file?
externaldata (network:string,geoname_id:string,continent_code:string,continent_name:string,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
[@"https://datahub.io/core/geoip2-ipv4/r/geoip2-ipv4.csv"] with(format="csv", ignoreFirstRecord=true)
// select only the IP addr
| project geoNetworkip = tostring(split(network,"/").[0]), continent_name, continent_code
// join to AzureActicity Table
| join kind= inner
(
AzureActivity
// | project CallerIpAddress = "41.186.0.0" // add a fake match to test
| project CallerIpAddress
) on $left.geoNetworkip == $right.CallerIpAddress
| project geoNetworkip, CallerIpAddress, continent_name, continent_code Go to Log Analytics and run query
Adapted from an old post of mine: https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/
Thanks for the solution but this won't help in conditions with IPs falling in between the range. For instance, 47.7.8.8.
The csv contains the ranges and not direct IPs that can be mapped.
How to go about in finding the location for all the Ip addresses. Most of which fall in the mid of the ranges provided.
Hello uditk14
I will stress this is just a sample, its not very optimized and there is probably a better way to do this (I just cant think of one currently - so I need to take a break from it, to help me think!)// source idea: https://techcommunity.microsoft.com/t5/azure-sentinel/approximate-partial-and-combined-lookups-in-azure-sentinel/ba-p/1393795 // get lookup data let geoData = externaldata (network:string,geoname_id:string,continent_code:string, continent_name:string,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) [@"https://datahub.io/core/geoip2-ipv4/r/geoip2-ipv4.csv"] with(format="csv", ignoreFirstRecord=true); // now turn remote data to scalar let lookup = toscalar( geoData | summarize list_CIDR=make_set(network) ); // link to Azure Activity and specifically CallerIpAddress AzureActivity // get a small time range (this REALLY helps perf!!!!) | where TimeGenerated > ago(2h) | mv-apply list_CIDR=lookup to typeof(string) on ( // Match each IP from 'CallerIpAddress' with the remote 'network' column where ipv4_is_match (CallerIpAddress, list_CIDR) //== false ) // summarize to remove any duplicates | summarize by CallerIpAddress, list_CIDR | join kind=inner ( // join to remote data again, to add enrichments geoData ) on $left.list_CIDR == $right.network // build final display | summarize by CallerIpAddress, network, country_name, country_iso_code- I'm struggling a bit with geo ip since it takes a big performance hit.
eg. using Clive's query above I'm given performance warnings even though I'm using it for just 1 hour of data which is about 4k rows.
And the output is just 32 rows.
I'd love if a geo lookup was built into KQL (like SPL does) or there was method that works over large volumes of data.- Are you bringing in TI feeds? https://docs.microsoft.com/en-us/azure/sentinel/whats-new#enriched-threat-intelligence-with-geolocation-and-whois-data-public-preview These are now enriched with geo location and whois.
Below this there is a REST api https://docs.microsoft.com/en-us/azure/sentinel/geolocation-data-api
