Mar 26 2019 10:24 AM
Are there any options to extract geolocation information from the various tables that contain IP addresses?
How about the related visualizations like the world map of "Potential malicious events" that is shown on the Sentinel's homepage?
Mar 26 2019 12:40 PM
If you click on that map you get taken to the logs and the query used;you have data like RemoteIPCountry and the longitude and latitude displayed there.
One other query example might be
W3CIISLog | where isnotempty(MaliciousIP) | summarize count() by RemoteIPCountry, RemoteIPLatitude, RemoteIPLongitude
or
W3CIISLog | where isnotempty(MaliciousIP) | summarize count() by RemoteIPCountry, IndicatorThreatType
Mar 26 2019 01:04 PM
Thanks, Clive for the prompt reply.
The W3CIISLog table appear to have those field populated by Sentinel at index time. Tables such as CommonSecurityLog don't have these fields even if source and destination IPs are present (with various names, depending on the device sending the logs).
For example, for a Palo Alto firewall, with the logs sent in CEF format one gets DestinationIP and SourceIP but the RemoteIP field doesn't get populated (and no RemoteIPCountry, etc...). I could, in principle, adjust the log format to send RemoteIP populated with the DestinationIP value - I'm not sure if that will trigger the creation of the corresponding RemoteIPCountry and geo information. I will test this, just to see if it makes any difference.
For Syslog table, where we may need to extract the source and destination IPs from a generic field (such as Message), we would need a way to create the geolocation fields from those IPs at search time.
Another issue is that I don't see any option of rendering the results that contain this information as a map chart.
Mar 26 2019 03:25 PM
As a quick update, sending the logs with RemoteIP populated has no effect on the RemoteIP field in the CommonSecurityLog (that remains empty).