Which countries accessed some.site.tld (10.248.1.1) last 30 days
[located in Azure behind Azure Firewall and AzureApplication Gateway]
The query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| project TimeGenerated, clientIp_s, hostname_s //, requestUri_s, action_s, ruleId_s, Message, details_message_s
| where hostname_s contains "some.site.tld"
//| distinct clientIp_s // сортира по различни clientIp_s e.g. uniq ?
//| distinct clientIp_s, TimeGenerated
//| order by hostname_s
//| summarize count() by clientIp_s, bin(TimeGenerated, 5m)
//| summarize count() by clientIp_s, bin(TimeGenerated, 1m)
//| render timechart
Category == "ApplicationGatewayAccessLog"
Category == "ApplicationGatewayFirewallLog"
ResourceProvider
MICROSOFT.NETWORK
Resource
CS-HUB-P-WAF-PUBLIC-AGW
Producing more than 30k lines (restrictions are 10k or 30k max - GUI limitations)
The PowerBI integration for Logs works with Logs API – therefore the limitation is not the UI limitation of 30K results but the API limitation of 500k results
From <https://learn.microsoft.com/en-us/answers/questions/1328922/query-output-limits-%28laws-pbi%29>
Export to excel
Azure -> logs -> Query -> Run (>30k lines)
- Update query to reduce the number of lines (e.g. where, distinct, etc)
- Export - Power BI ( as an M query) -> will generate and download txt file with API command
Excel -> Data -> Get Data -> From Other Sources -> Blank query => Advanced editor => paste content of txt file (API command with credentials)
The result is 500k lines output based on log query log
Select only IP addresses and export them to txt/csv file
GeoLite2 data created by MaxMind : https://www.miyuru.lk/geoiplegacy (April 2024)
GeoIP archive (2013) https://mirrors-cdn.liferay.com/geolite.maxmind.com/download/geoip/database/
DB-IP: https://db-ip.com/db/
On bash:
apt-get install geoip-bin geoip-database
MacOS: brew install GeoIP
dockerfile: dockerfile.run/geoiplookup
cat ./ip_list.txt | sort | uniq | xargs -n 1 geoiplookup { }
Or running the script bellow:
cat geoip_lookup.sh
#!/usr/bin/bash
#cat /var/log/apache2/ | awk '{print $1}' > ips.txt
#uniq ips.txt > uniques.txt
IPS=`cat IPs.txt`
#echo $IPS
for ip in $IPS
do
echo "`geoiplookup $ip | cut -d "," -f2 | sed -e 's/^[ \t]*//'` `geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat $ip | cut -d "," -f4,5 | sed -e 's/^[ \t]*//'` $ip"
#echo
done
Will provide a result like:
Netherlands Noord-Holland, Amsterdam 52.142.230.106
United States N/A, Boydton 52.167.144.137
Germany N/A, N/A 194.37.84.209
Sweden Sodermanlands Lan, Nyköping 93.158.90.70
MaxMind Country:
wget --no-check-certificate https://dl.miyuru.lk/geoip/maxmind/country/maxmind4.dat.gz
MaxMind City:
wget --no-check-certificate https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz
Няма коментари:
Публикуване на коментар