Iploc - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language iploc stage that associates IPv4 addresses of fields to a list of predefined attributes related to the geolocation.

Syntax

iploc <field>

Description

The iploc stage associates the IPv4 address of any field to a list of predefined attributes related to the geolocation. By default, when using this stage in your queries, the geolocation data is added to the results table in these predefined column names: LOC_ASN_ORG, LOC_ASN, LOC_CITY, LOC_CONTINENT, LOC_COUNTRY, LOC_LATLON, LOC_REGION, and LOC_TIMEZONE.

Note

The loc_latlon field contains a string that is a combination of two floating numbers representing the latitude and longitude separated by a comma, for example, “32.0695,34.7621".

The following options are available to you when using this stage in your queries:

  • You can specify the geolocation fields that you want added to the results table.

  • You can append a suffix to the name of the geolocation field column in the results table.

  • You can change the name of the geolocation field column in the results table.

  • You can also view the geolocation data on a graph type called map, where the xaxis is set to either loc_country or loc_latlon, and the yaxis is a number field.

Note

  • The iploc stage can only be used with fields that contain numbers or strings.

  • To improve your query performance, we recommend that you filter the data in your query before the iploc stage is run. In addition, limiting the number of fields in the results table further improves the performance.

Examples

Return a maximum of 1000 xdr_data records with the specific geolocation data associated with the action_remote_ip field, where no record with a null value for action_remote_ip is included, and displays the name of the city in a column called city and a combination of the latitude and longitude in a column called loc_latlon with comma-separated values of latitude and longitude.

dataset = xdr_data
| limit 1000 
| filter action_remote_ip != null 
| iploc action_remote_ip loc_city as city, loc_latlon

Return a maximum of 1000 xdr_data records with all the available geolocation data with the predefined column names, and add the specified suffix _remote_id to each predefined column name, where no record with a null value for action_remote_ip is included.

dataset = xdr_data 
| limit 1000
| filter action_remote_ip != null
| iploc action_remote_ip suffix=_remote_id 

Return a maximum of 1000 xdr_data records with the specific geolocation data associated with the action_remote_ip field that includes the name of the country (contained in loc_country) in a column called country, where no record with a null value for either country or action_remote_ip is included. The comp stage is used to count the number of IP addresses per country. The results are displayed in a graph type of kind map, where the x-axis represents the country and the y-axis the action_remote_ip.

dataset = xdr_data 
| limit 1000
| iploc action_remote_ip loc_country as country  
| filter country != null and action_remote_ip  != null
| comp count() as ip_count by country 
| view graph type = map xaxis = country yaxis = ip_count