This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Geo IP location for all logs in Log Explorer

Posted on 09-13-2023 09:25 AM
Wilks
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Good Day,

Is there a way to turn on Geo IP location for the logs that have Source IP data in them?  So for example I can see the Caller IP in the following log but no country code or GEO location and we want to add this.  Is there way to do this without using Chronicle or anything like that?

"requestMetadata": {
"callerIp": "174.95.10.102",
"callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2023-09-09T13:35:56.357323112Z",
"auth": {}
},

Solved Solved
1 3 1,526
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
reincoder
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

If you can bring your logs to BigQuery, you can use IPinfo's IP to Country ASN data from Analytics Hub to run the queries against the log. The database is updated daily and is free to use.

https://console.cloud.google.com/bigquery/analytics-hub/exchanges/projects/318570798575/locations/us...

Example code:

 

 

SELECT
  logs.IP, -- IP columns from the table
  country_asn.* -- Result from country_asn table lookup
FROM
  `analyticshub_free_country_asn.log_data` AS logs
JOIN
  `analyticshub_free_country_asn.country_asn` AS country_asn
ON
  NET.IP_FROM_STRING(logs.IP) BETWEEN NET.IP_FROM_STRING(country_asn.start_ip)
  AND NET.IP_FROM_STRING(country_asn.end_ip);

 

 

 
Here is what the output will look like: 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
reincoder
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

If you can bring your logs to BigQuery, you can use IPinfo's IP to Country ASN data from Analytics Hub to run the queries against the log. The database is updated daily and is free to use.

https://console.cloud.google.com/bigquery/analytics-hub/exchanges/projects/318570798575/locations/us...

Example code:

 

 

SELECT
  logs.IP, -- IP columns from the table
  country_asn.* -- Result from country_asn table lookup
FROM
  `analyticshub_free_country_asn.log_data` AS logs
JOIN
  `analyticshub_free_country_asn.country_asn` AS country_asn
ON
  NET.IP_FROM_STRING(logs.IP) BETWEEN NET.IP_FROM_STRING(country_asn.start_ip)
  AND NET.IP_FROM_STRING(country_asn.end_ip);

 

 

 
Here is what the output will look like: 
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Wilks
Bronze 1
Bronze 1
In response to reincoder
Reply posted on --/--/---- --:-- AM

Thanks.

So outside of big query there is no way to do this in something like Log Explorer?  I am guessing not but figured I would ask.

Thx

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
reincoder
Bronze 1
Bronze 1
In response to Wilks
Reply posted on --/--/---- --:-- AM

Not to my knowledge. I believe Log Explorer does not have any support for log data enrichment.

Jump to Solution
Top Solution Authors
View all