Forum Discussion
Mapping IPs to autonomous systems number and name
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
let iptofind = "13.64.0.100";externaldata (first_ip:string, end_ip:string, as_num:int, country_code:string, description:string)[@"https://< insert your URL here>"]| project iptofind, first_ip, end_ip, as_num, description| where parse_ipv4(iptofind) between (parse_ipv4(first_ip).. parse_ipv4(end_ip))I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Clive
Microsoft
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Clive
- Hi Clive,
Cool search syntax.
Just a quick follow up question,
How can we make this iteratively through a dynamic list? Thank you.
e.g. let ip_list = dynamic(["8.8.8.8","1.1.1.1","1.0.8.23"]);This would be one way
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']; let ip_list = dynamic(["8.8.8.8","1.1.1.1","1.0.8.23","41.186.0.0"]); IP_Data | extend justIP = split(network,@"/").[0] | where justIP in (ip_list)Ip_data gets a list from the ...geoip2-ip4.csv file. The column "network" is an ip address list (in the format 192.1.1.1/32), so with the extend = justIp I remove the "/32" part. You can then use that IP address to compare against you dynamic list using the .
| where justIP in (ip_list)Thanks
