XQL Query: Finding Location of Public IP based on iploc command.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL Query: Finding Location of Public IP based on iploc command.

L3 Networker

We are trying to find out ASN number, Organization Name, Location, City, Country for public IPs. Below is our query just in case:

 

Note: The query which we ran is applied on interface which are receiving public facing IPs. We filtered that part of the query.

config case_sensitive = false 
| dataset = panw_ngfw_threat_raw 
| fields  rule_matched as PA_Rule_Name, severity, direction_of_attack, threat_category, threat_id, threat_name, action, inbound_if as Inbound_Interface, from_zone, source_ip, source_port, outbound_if as Outbound_Interface,to_zone, dest_ip, dest_port, app, tunnel, tunneled_app, log_source_name
| comp Count(threat_name) as Counter by source_ip, dest_ip, dest_port, severity, threat_category, threat_name
| iploc  source_ip loc_city, loc_region, loc_country, loc_continent, loc_latlon, loc_timezone 
| comp Count(loc_city) as Counter by loc_city, loc_continent, loc_country, loc_region 
| sort desc Counter

 

Now, the challenge we have is that the documentation of iploc command states that it has a column name of LOC_ASN_ORG, LOC_ASN but we are not able to see that: See the error below:

 

Documentation link: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Iploc

KanwarSingh01_0-1678149273362.png

 

Any suggestions or ideas? Is it a XDR 3.6 console thing? Might be I am not understanding things right...

 

Thank you.

 

Cortex XDR 

Kind Regards
KS
3 REPLIES 3

L5 Sessionator

Hi @KanwarSingh01 the fields loc_asn and loc_asn_org are missing in line 5 where the iploc stage command is being innvoked. Put it in there and you shall have the information.

 

See an example:

bbarmanroy_0-1678154924168.png

 

Hi, Just attached the wrong screenshot, in the first reply:

 

See below

KanwarSingh01_0-1678155273713.png

 

Kind Regards
KS

L3 Networker

Any suggestions guys?

Kind Regards
KS
  • 2358 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!