Home

Geolocation and related visualisations (world map)

%3CLINGO-SUB%20id%3D%22lingo-sub-388926%22%20slang%3D%22en-US%22%3EGeolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388926%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20options%20to%20extract%20geolocation%20information%20from%20the%20various%20tables%20that%20contain%20IP%20addresses%3F%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20about%20the%20related%20visualizations%20like%20the%20world%20map%20of%20%22Potential%20malicious%20events%22%20that%20is%20shown%20on%20the%20Sentinel's%20homepage%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389107%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389107%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20quick%20update%2C%20sending%20the%20logs%20with%26nbsp%3B%3CSPAN%3ERemoteIP%26nbsp%3Bpopulated%20has%20no%20effect%20on%20the%26nbsp%3BRemoteIP%26nbsp%3Bfield%20in%20the%26nbsp%3BCommonSecurityLog%20(that%20remains%20empty).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389048%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389048%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Clive%20for%20the%20prompt%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%26nbsp%3BW3CIISLog%20table%20appear%20to%20have%20those%20field%20populated%20by%20Sentinel%20at%20index%20time.%20Tables%20such%20as%20CommonSecurityLog%20don't%20have%20these%20fields%20even%20if%20source%20and%20destination%20IPs%20are%20present%20(with%20various%20names%2C%20depending%20on%20the%20device%20sending%20the%20logs).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20for%20a%20Palo%20Alto%20firewall%2C%20with%20the%20logs%20sent%20in%20CEF%20format%20one%20gets%20DestinationIP%20and%20SourceIP%20but%20the%20RemoteIP%20field%20doesn't%20get%20populated%20(and%20no%20RemoteIPCountry%2C%20etc...).%20I%20could%2C%20in%20principle%2C%20adjust%20the%20log%20format%20to%20send%20RemoteIP%20populated%20with%20the%20DestinationIP%20value%20-%20I'm%20not%20sure%20if%20that%20will%20trigger%20the%20creation%20of%20the%20corresponding%20RemoteIPCountry%20and%20geo%20information.%20I%20will%20test%20this%2C%20just%20to%20see%20if%20it%20makes%20any%20difference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20Syslog%20table%2C%20where%20we%20may%20need%20to%20extract%20the%20source%20and%20destination%20IPs%20from%20a%20generic%20field%20(such%20as%20Message)%2C%20we%20would%20need%20a%20way%20to%20create%20the%20geolocation%20fields%20from%20those%20IPs%20at%20search%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20issue%20is%20that%20I%20don't%20see%20any%20option%20of%20rendering%20the%20results%20that%20contain%20this%20information%20as%20a%20map%20chart.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389028%22%20slang%3D%22en-US%22%3ERe%3A%20Geolocation%20and%20related%20visualisations%20(world%20map)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389028%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20click%20on%20that%20map%20you%20get%20taken%20to%20the%20logs%20and%20the%20query%20used%3Byou%20have%20data%20like%20%3CSTRONG%3ERemoteIPCountry%3C%2FSTRONG%3E%20and%20the%20longitude%20and%20latitude%20displayed%20there.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20other%20query%20example%20might%20be%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EW3CIISLog%0A%7C%20where%20isnotempty(MaliciousIP)%0A%7C%20summarize%20count()%20by%20RemoteIPCountry%2C%20RemoteIPLatitude%2C%20RemoteIPLongitude%3C%2FPRE%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EW3CIISLog%0A%7C%20where%20isnotempty(MaliciousIP)%0A%7C%20summarize%20count()%20by%20RemoteIPCountry%2C%20%20IndicatorThreatType%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20434px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100190i05CE8396DAC57262%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-03-26%20193908.jpg%22%20title%3D%22Annotation%202019-03-26%20193908.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Are there any options to extract geolocation information from the various tables that contain IP addresses? 

How about the related visualizations like the world map of "Potential malicious events" that is shown on the Sentinel's homepage? 

3 Replies
Highlighted

If you click on that map you get taken to the logs and the query used;you have data like RemoteIPCountry and the longitude and latitude displayed there.  

 

One other query example might be 

 

W3CIISLog
| where isnotempty(MaliciousIP)
| summarize count() by RemoteIPCountry, RemoteIPLatitude, RemoteIPLongitude

or

 

W3CIISLog
| where isnotempty(MaliciousIP)
| summarize count() by RemoteIPCountry,  IndicatorThreatType

Annotation 2019-03-26 193908.jpg

 

 

Highlighted

@Clive Watson 

Thanks, Clive for the prompt reply.

 

The W3CIISLog table appear to have those field populated by Sentinel at index time. Tables such as CommonSecurityLog don't have these fields even if source and destination IPs are present (with various names, depending on the device sending the logs).

 

For example, for a Palo Alto firewall, with the logs sent in CEF format one gets DestinationIP and SourceIP but the RemoteIP field doesn't get populated (and no RemoteIPCountry, etc...). I could, in principle, adjust the log format to send RemoteIP populated with the DestinationIP value - I'm not sure if that will trigger the creation of the corresponding RemoteIPCountry and geo information. I will test this, just to see if it makes any difference.

 

For Syslog table, where we may need to extract the source and destination IPs from a generic field (such as Message), we would need a way to create the geolocation fields from those IPs at search time.

 

Another issue is that I don't see any option of rendering the results that contain this information as a map chart.

Highlighted

As a quick update, sending the logs with RemoteIP populated has no effect on the RemoteIP field in the CommonSecurityLog (that remains empty).