cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

source ip location and filtering based on the geolocation

jwalasingh
Copper Contributor

‎Mar 09 2022 01:28 AM

‎Mar 09 2022 01:28 AM

source ip location and filtering based on the geolocation

Hi All,

Greetings..

 

need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the filtering based on geolocation? how can i achieve this

 

Thanks in advance for your support.

 

Labels:
2,996 Views
0 Likes
11 Replies
Reply
11 Replies
best response confirmed by jwalasingh (Copper Contributor)
Clive_Watson

‎Mar 09 2022 02:09 AM

‎Mar 09 2022 02:09 AM

Solution

Re: source ip location and filtering based on the geolocation

@jwalasingh 

 

Good timing - I just answered this type of question on another thread earlier today, maybe

let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP    
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code  in ('RU','UA')

 

You just ned to swap line #8 to SourceIP if you want that instead?   You may need to add other 'where' filters but this should be the basics.

0 Likes
Reply
Jonhed

‎Mar 09 2022 03:08 AM

‎Mar 09 2022 03:08 AM

Re: source ip location and filtering based on the geolocation

This is the first time I saw this ipv4_lookup plugin, it looks great.
Is this something that was added recently?
0 Likes
Reply
Clive_Watson

‎Mar 09 2022 03:28 AM

‎Mar 09 2022 03:28 AM

Re: source ip location and filtering based on the geolocation

In the past 12-6months maybe - not sure ;)

1 Like
Reply
514039847qqcom

‎Nov 17 2022 07:57 AM

‎Nov 17 2022 07:57 AM

Re: source ip location and filtering based on the geolocation

hello, friend,I lost my laptop,I only have Mac address, can I get the criminal internet ip location?
0 Likes
Reply
514039847qqcom

‎Nov 17 2022 08:02 AM

‎Nov 17 2022 08:02 AM

Re: source ip location and filtering based on the geolocation

I can use microsoft count search the laptop location, but it is not very, accurate, arround 200m difference, criminal use it connect with wifi, Can I get his IP?
0 Likes
Reply
Dutchboy

‎Dec 04 2022 08:40 PM

‎Dec 04 2022 08:40 PM

Re: source ip location and filtering based on the geolocation

Hello Clive, while running the query the values such as network , iso code are note being recognised by the editor. any idea to as why ?
0 Likes
Reply
Clive_Watson

‎Dec 05 2022 01:24 AM

‎Dec 05 2022 01:24 AM

Re: source ip location and filtering based on the geolocation

@Dutchboy 

 

I'm assuming the IP_data can be retrieved?

let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
IP_Data

The rest of the query assumes you have a Forti log source, you could look to see if you have any others in the CommonSecurityLog table (it won't work if you have no Firewalls sending data or if the Firewall uses other columns).  This would look for any Product in the CEF Table:

let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
// | where DeviceVendor == "Fortinet"
// | where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP, DeviceProduct    
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code  in ('RU','UA')

 
You could also test against a source like SigninLogs if you have AAD?

let IP_Data = 
    external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,    country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
    ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
    with (ignoreFirstRecord=true, format="csv");
SigninLogs
| summarize ipCount=count() by IPAddress  
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)



0 Likes
Reply
Dutchboy

‎Dec 05 2022 03:01 AM

‎Dec 05 2022 03:01 AM

Re: source ip location and filtering based on the geolocation

@Clive_Watson well i have tried it against AAD , still the same error in the editor.

Dutchboy_0-1670238068527.png

 

0 Likes
Reply
Clive_Watson

‎Dec 05 2022 03:09 AM

‎Dec 05 2022 03:09 AM

Re: source ip location and filtering based on the geolocation

What is the error, can you show that?

Does it work for you in the Microsoft demo Logs? https://portal.azure.com#@4bd2cd73-7c32-48aa-8a02-646c8bc0d343/blade/Microsoft_Azure_Monitoring_Logs...
0 Likes
Reply
Dutchboy

‎Dec 05 2022 03:18 AM

‎Dec 05 2022 03:18 AM

Re: source ip location and filtering based on the geolocation

IP_Data is retrievable. But as i understand , dont see "ipv4_lookup" under the evaluate query value.
0 Likes
Reply
Clive_Watson

‎Dec 05 2022 05:43 AM

‎Dec 05 2022 05:43 AM

Re: source ip location and filtering based on the geolocation

"network" and "ip_data" both come from the external data source - so if you still have an error (whatever that error is) it is probably the IPAddress column.
What do you mean by: 'dont see "ipv4_lookup"' - is the error message returned - "no data found" or something else?
0 Likes
Reply