Feb 01 2022
07:07 AM
- last edited on
Apr 08 2022
10:59 AM
by
TechCommunityAP
Feb 01 2022
07:07 AM
- last edited on
Apr 08 2022
10:59 AM
by
TechCommunityAP
Hi Team
In the long list of data that we can gather with log analytics (MAP, .. ) we frequently have the IP address of the machine (source, destination, etc).
I would like to find a way to display the name of the netowork having the IP Address.
I imagine having a variable that contains an array like :
NetworkFrance 10.1.1.*
NetworkUK 10.2.2.*
etc
.. and link this in a query, so IP 10.1.1.23 will display "France".
Do you know what would be the logic to reach that goal ?
Thanks a lot.
Regards.
Feb 01 2022 07:54 AM
@fred_efr There are options like this example
// ip to lookup
let ipAddress = '1.1.1.1';
// get data from here
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
IP_Data
| evaluate ipv4_lookup(IP_Data, ipAddress, network)
| summarize arg_max(network,*) by ipAddress
| extend IPaddress = ipAddress
| project-away *1
| project-reorder IPaddress
Feb 01 2022 09:07 AM
Feb 01 2022 11:38 AM
Hello @fred_efr
Yes you can Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs
Use this code - SAVE AS a function (choose a better name than "ipC")
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
IP_Data
| evaluate ipv4_lookup(IP_Data, ipAddress,network)
| summarize arg_max(network,*) by ipAddress
| project country_name
You can then type
ipC("90.1.1.1")
Feb 02 2022 09:25 AM
Feb 03 2022 02:53 AM
Thats easier outside of a function - but not quite as neat:
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
Heartbeat
| evaluate ipv4_lookup(IP_Data, ComputerIP,network)
| project Computer, ComputerIP, network, country_name