1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Iploc

    Iploc

    Cortex XDR XQL iploc stage associates the IPv4 addresses of any field to a list of predefined attributes related to the geolocation.

    Synopsis

    iploc <
    field
    >

    Description

    The
    iploc
     stage associates the IPv4 address of any field to a list of predefined attributes related to the geolocation. By default, when using this stage in your queries, the geolocation data is added to the results table in these predefined column names:
    loc_city
    ,
    loc_continent
    ,
    loc_country
    ,
    loc_latlon
    ,
    loc_region
    , and
    loc_timezone
    .
    The
    loc_latlon
     field contains a string that is a combination of two floating numbers representing the latitude and longitude separated by a comma, for example, “32.0695,34.7621".
    The following options are available to you when using this stage in your queries:
    • You can specify the geolocation fields that you want added to the results table.
    • You can append a suffix to the name of the geolocation field column in the results table.
    • You can change the name of the geolocation field column in the results table.
    • You can also view the geolocation data on a graph type called map, where the
      xaxis
       is set to either
      loc_country
       or
      loc_latlon
      , and the
      yaxis
       is a number field.
    • The
      iploc
       stage can only be used with fields that contain numbers or strings.
    • To improve your query performance, we recommend that you
      filter
       the data in your query before the
      iploc
       stage is run. In addition, limiting the number of fields in the results table further improves the performance.

    Examples

    Return a maximum of 1000
    xdr_data
     records with the specific geolocation data associated with the
    action_remote_ip
     field, where no record with a null value for
    action_remote_ip
     is included, and displays the name of the city in a column called
    city
     and a combination of the latitude and longitude in a column called
    loc_latlon
     with comma-separated values of latitude and longitude. 
    dataset = xdr_data
| limit 1000 
| filter action_remote_ip != null 
| iploc action_remote_ip loc_city as city, loc_latlon
    Return a maximum of 1000
    xdr_data
     records with all the available geolocation data with the predefined column names, and add the specified suffix
    _remote_id
     to each predefined column name, where no record with a null value for
    action_remote_ip
     is included. 
    dataset = xdr_data 
| limit 1000
| filter action_remote_ip != null
| iploc action_remote_ip suffix=_remote_id
    Return a maximum of 1000
    xdr_data
     records with the specific geolocation data associated with the
    action_local_port
     field that includes the name of the country in a column called
    country
    , where no record with a null value for
    country
     or
    action_local_port
     is included and the
    action_local_port
     value is not set to 0. The results are displayed in a graph type called map, where the x-axis represents the
    country
     and the y-axis the
    action_local_port
    . 
    dataset = xdr_data 
| limit 1000
| filter country != null and action_local_port  != null and action_local_port != 0 
| iploc action_local_port loc_country as country  
| view graph type = map xaxis = country yaxis = action_local_port

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo