cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log source gives IP but not location, anything I can do to get location from IP?

Porter76
Brass Contributor

‎Dec 05 2023 06:49 AM

‎Dec 05 2023 06:49 AM

Log source gives IP but not location, anything I can do to get location from IP?

Recently deployed a custom data connector that pulls logs from one of our BI tools. The logs contain who did what from what IP but that's about it. I like to have alerting for sign in's or activity coming from another country, problem here is "Location" isn't something the BI tool keeps record of outside of IP address.

 

My question is, what can I do to somehow get location from the IP's the logs do provide to create an alert for any out of country activity? Could I possibly setup something that looks at IP's from the last 7 days and alerts on new or anomalous IP's?

 

TIA

Labels:
368 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Dec 08 2023 07:59 AM

‎Dec 08 2023 07:59 AM

Re: Log source gives IP but not location, anything I can do to get location from IP?

@Porter76 

 

This is one idea (it shows you how to find the country from an IP address) and also how to see if any country want seen in the previous week

let week_ = SigninLogs
| where TimeGenerated between(startofday(ago(7d)) .. endofday(ago(2d)))
| where isnotempty(IPAddress)
| summarize count() by IPAddress
| extend LocationDetails = geo_info_from_ip_address(IPAddress)
| extend country = LocationDetails.country
| distinct tostring(country)
;
SigninLogs
    | where TimeGenerated > ago(1d)
    | where isnotempty(IPAddress)
    | summarize count() by IPAddress
    | extend LocationDetails = geo_info_from_ip_address(IPAddress)
    | extend country = LocationDetails.country
    | distinct tostring(country), IPAddress
    | where country !in (week_)   // only show countries Today that were not seen before
0 Likes
Reply
Porter76

‎Dec 12 2023 12:15 PM

‎Dec 12 2023 12:15 PM

Re: Log source gives IP but not location, anything I can do to get location from IP?

Clive,

Thanks a TON. I was able to modify this and get it to work using fields from the custom data table we deployed. Thanks again!!
1 Like
Reply