FortiSIEM Using Geolocation Attributes in Searches and Search Results

Using Geolocation Attributes in Searches and Search Results

When you view the results of a search, you will see that IP address fields in the results, such as Source IP or Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic describes the geolocation information that is associated with event attributes, and provides examples of how to use this information in searches and search results.

Event and Geolocation Attributes

Using Geolocation Attributes in Searches

Viewing Geographic Locations from Search Results

Event and Geolocation Attributes

The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that you can use in search queries and as display fields in search results. In Incident Reports you may also see country flags included with IP addresses for Incident Source and Incid ent Target, which have the same geolocation attributes as Source IP and Destination IP.

Event Attribute Geolocation Attributes
Source IP Source Country

Source City

Source State

Source Organization

Source Longitude

Source Latitude

Destination IP Destination Country

Destination City

Destination State

Destination Organization

Destination Longitude

Destination Latitude

Host IP Host Country

Host City

Host State

Host Organization

Host Longitude

Host Latitude

Reporting IP Reporting Country

Reporting City

Reporting State

Reporting Organization

Reporting Longitude

Reporting Latitude

Using Geolocation Attributes in Searches

You can use geolocation attributes in both real time and historical structured searches. For example, setting a search attribute to Source Country != United States will remove all Source IPs with a geolocation of United States from the search results.

This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the search criteria. The Source IP display field contains only IP addresses associated with countries other than the United States, as indicated by the national flags next to each IP address in the Source IP column.

If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the results will include name information for that attribute, rather than a national flag.

This screenshot shows the results of the same query used previously, but with Group By = Source Country.

Viewing Geographic Locations from Search Results

If your search results contain geographic information, click the Locations button to view that information on a map.

This screenshot shows the results for the first example query presented in a map. Clicking on a number in the map will provide you with an overview of incidents for that location.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.