Calling APIs from KQL??

%3CLINGO-SUB%20id%3D%22lingo-sub-1481463%22%20slang%3D%22en-US%22%3ECalling%20APIs%20from%20KQL%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481463%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20make%20API%20calls%20from%20KQL%2Fquery%20explorer%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1481470%22%20slang%3D%22en-US%22%3ERe%3A%20Calling%20APIs%20from%20KQL%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481470%22%20slang%3D%22en-US%22%3EYou%20can%20use%20the%20externaldata%20operation%20in%20KQL%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel%2Fba-p%2F1091306%3Ffbclid%3DIwAR20ClvXfB2_r5oejWFa8Npr6-qFC3fuKKYEs7Hr19_im_en5BkE1e8L_Jo%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel%2Fba-p%2F1091306%3Ffbclid%3DIwAR20ClvXfB2_r5oejWFa8Npr6-qFC3fuKKYEs7Hr19_im_en5BkE1e8L_Jo%3C%2FA%3E%3CBR%20%2F%3EBut%20this%20is%20rather%20limited%20as%20there%20is%20no%20way%20to%20authenticate.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20need%20access%20to%20an%20API%20that%20requires%20authentication%2C%20you%20should%20write%20a%20Logic%20App%20and%20use%20that%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1488240%22%20slang%3D%22en-US%22%3ERe%3A%20Calling%20APIs%20from%20KQL%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1488240%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20used%20externaldata%20operator%20to%20fetch%20data%20from%20a%20CSV%20having%20a%20few%20columns%20namely%2C%20IP%20ranges%2C%20country%20code%2C%20country%20name%2C%20continent%20name%20etc.%3C%2FP%3E%3CP%3EIn%20Azure%20Activity%20table%20there%20is%20a%20CallerIP%20value.%3C%2FP%3E%3CP%3EI%20need%20to%20print%20the%20location%20for%20each%20caller%20Ip.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECSV%20file%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdatahub.io%2Fcore%2Fgeoip2-ipv4%23premium-data-2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdatahub.io%2Fcore%2Fgeoip2-ipv4%23premium-data-2%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20help%20me%20with%20the%20KQL%3F%3F%3C%2FP%3E%3CP%3E%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%3E%40hspinto%3C%2Fa%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is it possible to make API calls from KQL/query explorer?

2 Replies
You can use the externaldata operation in KQL - https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel/ba-p/10...
But this is rather limited as there is no way to authenticate.

If you need access to an API that requires authentication, you should write a Logic App and use that

@Thijs Lecomte - 

I have used externaldata operator to fetch data from a CSV having a few columns namely, IP ranges, country code, country name, continent name etc.

In Azure Activity table there is a CallerIP value.

I need to print the location for each caller Ip.

 

CSV file - https://datahub.io/core/geoip2-ipv4#premium-data-2

 

Can you help me with the KQL??

@hspinto