https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533394#M3778 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp;the fields <STRONG>loc_asn</STRONG> and <STRONG>loc_asn_org</STRONG> are missing in line 5 where the iploc stage command is being innvoked. Put it in there and you shall have the information.</P> <P>&nbsp;</P> <P>See an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1678154924168.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48486iB104FE22584B5A76/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1678154924168.png" alt="bbarmanroy_0-1678154924168.png" /></span></P> <P>&nbsp;</P> Tue, 07 Mar 2023 02:09:28 GMT bbarmanroy 2023-03-07T02:09:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533390#M3777 <P>We are trying to find out ASN number, Organization&nbsp;Name, Location, City, Country for public IPs. Below is our query just in case:</P> <P>&nbsp;</P> <P>Note: The query which we ran is applied on interface which are receiving public facing IPs. We filtered that part of the query.</P> <LI-CODE lang="markup">config case_sensitive = false | dataset = panw_ngfw_threat_raw | fields rule_matched as PA_Rule_Name, severity, direction_of_attack, threat_category, threat_id, threat_name, action, inbound_if as Inbound_Interface, from_zone, source_ip, source_port, outbound_if as Outbound_Interface,to_zone, dest_ip, dest_port, app, tunnel, tunneled_app, log_source_name | comp Count(threat_name) as Counter by source_ip, dest_ip, dest_port, severity, threat_category, threat_name | iploc source_ip loc_city, loc_region, loc_country, loc_continent, loc_latlon, loc_timezone | comp Count(loc_city) as Counter by loc_city, loc_continent, loc_country, loc_region | sort desc Counter</LI-CODE> <P>&nbsp;</P> <P>Now, the challenge we have is that the documentation of iploc command states that it has a column name of&nbsp;<SPAN>LOC_ASN_ORG,&nbsp;LOC_ASN but we are not able to see that: See the error below:<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>Documentation link:&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Iploc" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Iploc</A></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KanwarSingh01_0-1678149273362.png" style="width: 784px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48485iFE07BF3A77B92CA8/image-dimensions/784x112/is-moderation-mode/true?v=v2" width="784" height="112" role="button" title="KanwarSingh01_0-1678149273362.png" alt="KanwarSingh01_0-1678149273362.png" /></span></P> <P>&nbsp;</P> <P>Any suggestions or ideas? Is it a XDR 3.6 console thing? Might be I am not understanding things right...</P> <P>&nbsp;</P> <P>Thank you.</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Tue, 07 Mar 2023 00:38:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533390#M3777 KanwarSingh01 2023-03-07T00:38:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533394#M3778 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp;the fields <STRONG>loc_asn</STRONG> and <STRONG>loc_asn_org</STRONG> are missing in line 5 where the iploc stage command is being innvoked. Put it in there and you shall have the information.</P> <P>&nbsp;</P> <P>See an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1678154924168.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48486iB104FE22584B5A76/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1678154924168.png" alt="bbarmanroy_0-1678154924168.png" /></span></P> <P>&nbsp;</P> Tue, 07 Mar 2023 02:09:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533394#M3778 bbarmanroy 2023-03-07T02:09:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533395#M3779 <P>Hi, Just attached the wrong screenshot, in the first reply:</P> <P>&nbsp;</P> <P>See below</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KanwarSingh01_0-1678155273713.png" style="width: 1559px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48487i7264F6344610F8EA/image-dimensions/1559x226/is-moderation-mode/true?v=v2" width="1559" height="226" role="button" title="KanwarSingh01_0-1678155273713.png" alt="KanwarSingh01_0-1678155273713.png" /></span></P> <P>&nbsp;</P> Tue, 07 Mar 2023 02:15:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/533395#M3779 KanwarSingh01 2023-03-07T02:15:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/534277#M3828 <P>Any suggestions guys?</P> Mon, 13 Mar 2023 23:17:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-finding-location-of-public-ip-based-on-iploc-command/m-p/534277#M3828 KanwarSingh01 2023-03-13T23:17:31Z