Stay organized with collections Save and categorize content based on your preferences.

Use GeoIP-enriched data in UDM Search

Chronicle provides geolocation data enrichment (GeoIP data) for external IP addresses to provide additional context during an investigation. This document explains how you can use geolocation enriched fields when performing investigative searches.

To learn more about:

GeoIP-enriched UDM data can be accessed through UDM Search as shown in the following examples:

By country name (country_or_region)

src.ip_location.country_or_region = "Nederland" OR principal.ip_location.country_or_region = "Nederland"

By state (state)

src.ip_location.state = "Noord-Holland" OR 
principal.ip_location.state = "Noord-Holland"

By longitude and latitude

By unauthorized target geographies

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_location.country_or_region = "Cuba" OR
    target.ip_location.country_or_region = "Iran" OR
    target.ip_location.country_or_region = "North Korea" OR
    target.ip_location.country_or_region = "Russia" OR
    target.ip_location.country_or_region = "Syria"
)

Viewing enriched geolocation data in UDM Grid

Context-enriched fields are displayed in UDM grid views (for example, UDM Search, Detection View, User View), but they are not visible in the Event Viewer.

alt_text UDM grid