Using Geolocation Attributes in Searches and Search Results
When you view the results of a search, you will see that IP address fields in the results, such as Source IP or Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic describes the geolocation information that is associated with event attributes, and provides examples of how to use this information in searches and search results.
Event and Geolocation Attributes
Using Geolocation Attributes in Searches
Viewing Geographic Locations from Search Results
Event and Geolocation Attributes
The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that you can use in search queries and as display fields in search results. In Incident Reports you may also see country flags included with IP addresses for Incident Source and Incid ent Target, which have the same geolocation attributes as Source IP and Destination IP.
Event Attribute | Geolocation Attributes |
Source IP | Source Country
Source City Source State Source Organization Source Longitude Source Latitude |
Destination IP | Destination Country
Destination City Destination State Destination Organization Destination Longitude Destination Latitude |
Host IP | Host Country
Host City Host State Host Organization Host Longitude Host Latitude |
Reporting IP | Reporting Country
Reporting City Reporting State Reporting Organization Reporting Longitude Reporting Latitude |
Using Geolocation Attributes in Searches
You can use geolocation attributes in both real time and historical structured searches. For example, setting a search attribute to Source Country != United States will remove all Source IPs with a geolocation of United States from the search results.
This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the search criteria. The Source IP display field contains only IP addresses associated with countries other than the United States, as indicated by the national flags next to each IP address in the Source IP column.
If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the results will include name information for that attribute, rather than a national flag.
This screenshot shows the results of the same query used previously, but with Group By = Source Country.
Viewing Geographic Locations from Search Results
If your search results contain geographic information, click the Locations button to view that information on a map.
This screenshot shows the results for the first example query presented in a map. Clicking on a number in the map will provide you with an overview of incidents for that location.