//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin
let geoData = externaldata
(network: string, geoname_id: string, continent_code: string, continent_name: string,
country_iso_code: string, country_name: string, is_anonymous_proxy: string, is_satellite_provider: string)
[@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv");
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where OperationName == "AzureFirewallIDSLog"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestIP ":" DestPort ". Action: " Action ". Signature: " SignatureID ". IDS:" Message ". Priority:" Priority ". Classification:" Classification
| project
TimeGenerated,
SignatureID,
Message,
Priority,
Classification,
Protocol,
SourceIP,
SourcePort,
DestIP,
DestPort,
Action,
Resource
| where '*' == Action or '*' == "*"
| where '*' == Protocol or '*' == "*"
| where '*' == SignatureID or '*' == "*"
| where '*' == SourceIP or '*' == "*"
| where '*' == DestIP or '*' == "*"
| evaluate ipv4_lookup (geoData, DestIP, network, false)
Last updated