cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL query not showing sourec country info

akshay250692
Brass Contributor

‎Aug 24 2022 11:50 AM

‎Aug 24 2022 11:50 AM

KQL query not showing sourec country info

Hi Team,

 

I created one query from commonsecurity table it showing destination country info but not source country. Please help me to find out source country info also. source country column getting empty but destnation column getting info like ip and country name

 

CommonSecurityLog
| where DeviceProduct has 'PAN-OS' and DeviceVendor =~ 'Palo Alto Networks' and Activity =~ 'THREAT'
| where TimeGenerated >= ago(1d)
| extend IsLateral = iif(((ipv4_is_private(SourceIP) == true) and (ipv4_is_private(DestinationIP)== true)) , 'true', 'false')
    | where IsLateral == 'false'
    | extend IsOutbound = iif(((ipv4_is_private(SourceIP) == true) and (ipv4_is_private(DestinationIP) == false)) , 'true', 'false'),
             IsInbound = iif(ipv4_is_private(SourceIP) == false, 'true', 'false')
    | extend TrafficDirection = iif((IsOutbound == 'true'), "Outbound", "Inbound")
| extend Simplified_Firewall_Action = iif((DeviceAction in ("allow", "alert", "block-continue", "continue")), 'Allowed', 'Blocked')
| parse  kind=regex flags=U AdditionalExtensions with * "DstLocation=" DestinationCountry ';' * "SrcLocation=" SourceCountry
| summarize count() by DeviceEventClassID, LogSeverity, Detailed_Firewall_Action = DeviceAction, Simplified_Firewall_Action, TrafficDirection, SourceCountry, DestinationCountry
| project Date = now(-1d), Subtype = DeviceEventClassID, Severity = LogSeverity, Detailed_Firewall_Action, Simplified_Firewall_Action, TrafficDirection, SourceCountry, DestinationCountry, Count=count_

Labels:
1,053 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by akshay250692 (Brass Contributor)
Clive_Watson

‎Aug 25 2022 07:24 AM

‎Aug 25 2022 07:24 AM

Solution

Re: KQL query not showing sourec country info

Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.

By the way you could have used ASIM for this (simple example):

_Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
// or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
| where Activity =~"Threat"
| distinct DstGeoCountry, SrcGeoCountry

note: GeoCountry are optional in the schema
0 Likes
Reply
akshay250692

‎Aug 30 2022 03:29 AM

‎Aug 30 2022 03:29 AM

Re: KQL query not showing sourec country info

| parse kind=regex flags=U AdditionalExtensions with * "DstLocation=" DestinationCountry ';' * "SrcLocation=" SourceCountry : string
this is correct line.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by akshay250692 (Brass Contributor)
Clive_Watson

‎Aug 25 2022 07:24 AM

‎Aug 25 2022 07:24 AM

Solution

Re: KQL query not showing sourec country info

Generally if the Vendor doesn't supply the data you would have to try and look it up in another Table.

By the way you could have used ASIM for this (simple example):

_Im_NetworkSession_PaloAltoCEFV06(starttime=ago(1d))
// or use _ASim_NetworkSession if you dont need a parameter https://docs.microsoft.com/en-us/azure/sentinel/network-normalization-schema
| where Activity =~"Threat"
| distinct DstGeoCountry, SrcGeoCountry

note: GeoCountry are optional in the schema

View solution in original post

0 Likes
Reply