topic Re: IPLOCATION displaying wrong Country in Splunk Search

IPLOCATION displaying wrong Country

nathanluke86 — Fri, 17 Sep 2021 12:08:51 GMT

Hello,

I am having an issue with IPLOCATION displaying the wrong Country using the following query.

index="office365" sourcetype = o365* Workload=AzureActiveDirectory Operation=UserLoggedin ActorIpAddress=152.37.xxx.xxx | iplocation ActorIpAddress |table Country

Which shows the country is "United States"

Checked the web on different IP locators and all show the IP as UK which is the correct location.

If I run this query:

| makeresults
| eval ip="152.37.xxx.xxx"
| iplocation ip
| table Country, ip

The country display as the UK.

Anyone know what is causing this issue. I have updated the mmdb file to the latest release.

TIA

Re: IPLOCATION displaying wrong Country

solarboyz1 — Fri, 17 Sep 2021 13:41:11 GMT

The iplocation data returned from the GeoLite2-City.mmdb database file in $SPLUNK_HOME/share/

You can update that file, or if you get a geoip subscription, you replace that file with one of the available data base files with more accuracy.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Iplocation
https://dev.maxmind.com/geoip/updating-databases?lang=en

Re: IPLOCATION displaying wrong Country

nathanluke86 — Fri, 17 Sep 2021 13:46:24 GMT

@solarboyz1

Thanks for the response,

I have updated the GeoLite2-City.mmdb file in $SPLUNK_HOME/share/. This has not made any difference.

I feel its something to do with the query as when I use the following query the country displays as GB which is correct.

| makeresults
| eval ip="152.37.xx.xxx"
| iplocation ip
| table Country, ip

Thanks,

Re: IPLOCATION displaying wrong Country

solarboyz1 — Fri, 17 Sep 2021 13:55:54 GMT

Depending on the subnet 152.37.xxx.xxx could be either US or UK

The following returns US:

| eval ip="152.37.11.2"

The following returns UK:

| eval ip="152.37.111.2"

Do you have specific entries you are referring to?

Re: IPLOCATION displaying wrong Country

nathanluke86 — Fri, 17 Sep 2021 14:05:39 GMT

@solarboyz1

The IP is a UK IP address.

As explained above, both queries are for the same unique IP but the Office365 query shows the IP as being in the US and the makeresults query shows the IP as in UK (which is correct and the desired outcome)

We have an Office 365 dashboard map that shows successful logins by country but some of the results are wrong and we can't work out why.

I thing the mmdb file is correct as we are getting the desired outcome when using makeresults query

Thanks,

Re: IPLOCATION displaying wrong Country

solarboyz1 — Fri, 17 Sep 2021 14:51:14 GMT

From what you are showing... both searches should be doing the exact some thing...which is looking up 152.37.xxx.xxx in the local geocities database.

If they are looking up the exact same values, and returning different countries...that sounds like a bug.

I mean, you could try something like:

index=o365 sourcetype = o365* Workload=AzureActiveDirectory Operation=UserLoggedin ActorIpAddress=152.*
| iplocation prefix=IpLoc1_ ActorIpAddress
| eval ip=ActorIpAddress
| iplocation prefix=IpLoc2_ ip
| table ActorIpAddress IpLoc1_Country ip IpLoc2_Country

Which is effectively running both the searches you had above and comparing them.

Is there any chance there is a Country field in the Data already that's could be causing issues?
I have o365 data and don't see any, but that could cause an issue.