Use GeoIP-enriched data in UDM Search
Chronicle provides geolocation data enrichment (GeoIP data) for external IP addresses to provide additional context during an investigation. This document explains how you can use geolocation enriched fields when performing investigative searches.
To learn more about:
how Chronicle enriches UDM records with geolocation data, and the scope of this enrichment, see Geographic location from an IP address.
how to use geolocation data in dashboards, see Use GeoIP-enriched data in dashboards.
Using enriched geolocation data in UDM Search
GeoIP-enriched UDM data can be accessed through UDM Search as shown in the following examples:
By country name (country_or_region)
src.ip_location.country_or_region = "Nederland" OR principal.ip_location.country_or_region = "Nederland"
By state (state)
src.ip_location.state = "Noord-Holland" OR principal.ip_location.state = "Noord-Holland"
By longitude and latitude
By unauthorized target geographies
metadata.event_type = "NETWORK_CONNECTION" AND ( target.ip_location.country_or_region = "Cuba" OR target.ip_location.country_or_region = "Iran" OR target.ip_location.country_or_region = "North Korea" OR target.ip_location.country_or_region = "Russia" OR target.ip_location.country_or_region = "Syria" )
Viewing enriched geolocation data in UDM Grid
Context-enriched fields are displayed in UDM grid views (for example, UDM Search, Detection View, User View), but they are not visible in the Event Viewer.