KEY field in the following functions indicates the log field (for example, ip) and its value is an IP address. If the value is an internal IP address or an invalid field, the value cannot be parsed and is displayed as NULL or Unknown.Function | Description | Examples |
ip_to_country(KEY) | Analyzes the country or region of the target IP address and returns the country or region name. | * | SELECT ip_to_country(ip) |
ip_to_country_code(KEY) | Analyzes the country or region code of the target IP address and returns the country or region code. | * | SELECT ip_to_country_code(ip) |
ip_to_country_geo(KEY) | Analyzes the longitude and latitude of the country or region corresponding to the target IP address and returns the longitude and latitude of the country or region. | * | SELECT ip_to_country_geo(ip) |
ip_to_province(KEY) | Analyzes the province of the target IP address and returns the province name. | * | SELECT ip_to_province(ip) |
ip_to_province_code(KEY) | Analyzes the province code of the target IP address and returns the province code. | * | SELECT ip_to_province_code(ip) |
ip_to_province_geo(KEY) | Analyzes the longitude and latitude of the province corresponding to the target IP address and returns the longitude and latitude of the province. | * | SELECT ip_to_province_geo(ip) |
ip_to_city(KEY) | Analyzes the city associated with the destination IP address and returns the city name. | * | SELECT ip_to_city(ip) |
ip_to_city_code(KEY) | Analyzes the city code of the target IP address and returns the administrative division code of the city. This function supports Chinese cities only. | * | SELECT ip_to_city_code(ip) |
ip_to_city_geo(KEY) | Analyzes the longitude and latitude of the city corresponding to the target IP address and returns the longitude and latitude of the city. This function supports Chinese cities only. | * | SELECT ip_to_city_geo(ip) |
ip_to_provider(KEY) | Analyzes the ISP to which an IP address belongs. The ISP's name is returned. | * | SELECT ip_to_provider(ip) |
Hiding Detailed Geolocation Data in IPv6 or NULL. This limitation applies only to the final SQL query results and does not affect the calculation accuracy of intermediate SQL processing steps.Function | Description | Examples |
ip_to_country(KEY,'enable_ipv6') | Analyzes the country or region of the target IP address and returns the country or region name. | * | SELECT ip_to_country(ip,'enable_ipv6') |
ip_to_country_code(KEY,'enable_ipv6') | Analyzes the country or region code of the target IP address and returns the country or region code. | * | SELECT ip_to_country_code(ip,'enable_ipv6') |
ip_to_country_geo(KEY,'enable_ipv6') | Analyzes the longitude and latitude of the country or region corresponding to the target IP address and returns the longitude and latitude of the country or region. | * | SELECT ip_to_country_geo(ip,'enable_ipv6') |
ip_to_province(KEY,'enable_ipv6') | Analyzes the province of the target IP address and returns the province name. | * | SELECT ip_to_province(ip,'enable_ipv6') |
ip_to_province_code(KEY,'enable_ipv6') | Analyzes the province code of the target IP address and returns the province code. | * | SELECT ip_to_province_code(ip,'enable_ipv6') |
ip_to_province_geo(KEY,'enable_ipv6') | Analyzes the longitude and latitude of the province corresponding to the target IP address and returns the longitude and latitude of the province. | * | SELECT ip_to_province_geo(ip,'enable_ipv6') |
ip_to_city(KEY,'enable_ipv6') | Analyzes the city associated with the destination IP address and returns the city name. | * | SELECT ip_to_city(ip,'enable_ipv6') |
ip_to_city_code(KEY,'enable_ipv6') | Analyzes the city code of the target IP address and returns the administrative division code of the city. This function supports Chinese cities only. | * | SELECT ip_to_city_code(ip,'enable_ipv6') |
ip_to_city_geo(KEY,'enable_ipv6') | Analyzes the longitude and latitude of the city corresponding to the target IP address and returns the longitude and latitude of the city. This function supports Chinese cities only. | * | SELECT ip_to_city_geo(ip,'enable_ipv6') |
Function Name | Description | Examples |
ip_prefix (KEY,prefix_bits) | Obtains the prefix of the target IP address and returns the IP address in subnet mask format. For example, 192.168.1.0/24. | * | SELECT ip_prefix(ip,24) |
ip_subnet_min (KEY) | Obtains the minimum IP address in an IP range and returns the IP address. For example, 192.168.1.0. | * | SELECT ip_subnet_min(concat(ip,'/24')) |
ip_subnet_max (KEY) | Obtains the maximum IP address in an IP range and returns the IP address. For example, 192.168.1.255. | * | SELECT ip_subnet_max(concat(ip,'/24')) |
ip_subnet_range (KEY) | Obtains the IP address range and returns the IP addresses in an Array. For example, ["172.16.0.0","172.16.0.255"]. | * | SELECT ip_subnet_range(concat(ip,'/24')) |
is_subnet_of(KEY) | Determines whether the target IP address is within an IP range and returns a Boolean value. | * | SELECT is_subnet_of('192.168.0.1/24', ip) |
is_prefix_subnet_of(KEY) | Determines whether the target IP range is a subnet of a specified IP range and returns a Boolean value. | * | SELECT is_prefix_subnet_of('192.168.0.1/24',concat(ip, '/24')) |
Function Name | Description | Examples |
ip_to_domain (KEY) | Determines whether the target IP address is a private network address or a public network address. Returns intranet for a private network address, internet for a public network address, and invalid for an illegal address. | * | SELECT ip_to_domain(ip) |
ip_version(KEY) | Obtains the IP address version. The returned result is ipv4 or ipv6. | * | SELECT ip_version(ip) |
Function Name | Description | Examples |
ip_threat(KEY) | Determines whether an IP address is malicious. Returns: UNKNOWN: Unknown (no threat information detected). SECURE: Secure. SUSPICIOUS: Suspicious. MALICIOUS: Malicious. | * | SELECT ip_threat(ip) |
ip_threat_tags(KEY) | The threat tags of suspicious and malicious IP addresses, representing the specific malicious behaviors associated with that IP address. Returns an array. | * | SELECT ip_threat_tags(ip) |
ip_threat_detail(KEY) | IP address threat detection details, returned as JSON. For example:
Among them: reputation: Whether the IP address is malicious. Its content is the same as that of ip_threat(KEY).tags: Threat tags for suspicious and malicious IP addresses. Its content is the same as that of ip_threat_tags(KEY).extraInfo: Detailed description of the IP address. This information is available only for some secure (SECURE) IP addresses. For other IP addresses, please visit the Tencent Security Threat Intelligence Center to view it. extraInfo_zh: Chinese version of the IP address detailed description. | * | SELECT ip_threat_detail(ip) |
Threat Tag | Description | Detailed Description |
xx Exploit vulnerability | xx Vulnerability Exploitation | The IP address initiates attacks against users by exploiting specific vulnerabilities, such as Weblogic vulnerability exploitation. |
xx attack | xx Attack | The IP address has launched specific types of attacks against users, such as CC attacks and credential stuffing attacks. |
xx Scanning | xx Scanning | The IP address scans user assets by exploiting specific vulnerabilities, such as Zhiyuan OA scanning (Zhiyuan OA Scanning). |
Brute force | Brute force | The IP address attempts passwords against user systems. |
Proxy seconds dial | Proxy seconds dial | Proxy: This IP address was used as a proxy IP address by cybercriminals at a certain point in time. Fast Dial: This IP address was identified as a fast dial IP address resource provided by cybercriminals at a certain point in time (cybercriminals use home broadband dial-up to hold malicious IP addresses for a certain period). |
Environmental forgery | Environmental forgery | The IP address forges environments to bypass or deceive the service's security detection. |
Network traffic risk control | Network traffic risk control | The traffic from this IP address triggered the network traffic risk control rules. |
group control | Group control | The traffic from this IP address may originate from a group control platform or system. |
ip.* | SELECT count(*) AS PV where ip_to_domain(ip)!='intranet'
* | SELECT ip_to_province(ip) AS province, count(*) as PV GROUP BY province ORDER BY PV desc LIMIT 10
* | SELECT ip_to_province(ip) AS province, count(*) as PV where ip_to_domain(ip)!='intranet' GROUP BY province ORDER BY PV desc LIMIT 10
* | SELECT ip_to_geo(ip) AS geo, count(*) AS pv GROUP BY geo ORDER BY pv DESC
* |selectip,CASE WHEN ip_threat(ip) = 'SUSPICIOUS' THEN 'Suspicious' WHEN ip_threat(ip) = 'MALICIOUS' THEN 'Malicious' END as "Threat Level",ip_threat_tags(ip) as "Threat Tag",count(*) as "Access Count"whereip_threat(ip) = 'SUSPICIOUS'or ip_threat(ip) = 'MALICIOUS'group byiporder bycount(*) desclimit10000
피드백