![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 67%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,800 questions
Hello @Rushit Ajudiya
- ipv4_lookup plugin is the nearest equivalent to iplocation, though there isn't a built in table for IP locations, giving you the flexibility to choose the example table or from another provider. Also note, that some logs, such as Azure AD Sign in logs are already enriched with IP location information. Also IP addresses mapped to entities and Threat Intelligence IP's are also enriched with geolocation data.
- There is no KQL equivalent to lookup as KQL is a read only language within Log Analytics and therefore doesn't add any new data to the environment. To perform something similar, you would need to ingest data to the environment and perform a join. Ways that you can do this include
- Watchlists
- Threat Intelligence
- Playbook or equivalent method for ingesting data to log analytics
- externaldata() operator
- distinct is the operator I believe you want for values()
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 82%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)