Forum Discussion
Mr_PBKAC
Aug 14, 2019Copper Contributor
Query Log Analytics Workspace for IP
I want to query a specific log analytics workspace for an IP address .
- CliveWatson
Microsoft
You could do a simple (but inefficient) search - please edit to match your IP address.
search "192.168"
If you know the Table that contains the data that really helps? This next query brings back all the Tables that contain the IP address, if you don't already know them, that way we can now just search within a Table to improve the query time efficiency.
search "192.168" | summarize count() by Type
The results of query #2, the Type Column list the Tables that have 192.168* in them.
Type count_ WindowsFirewall 97742 NetworkMonitoring 125670 AzureNetworkAnalytics_CL 40 Now we know the three Tables that have that IP Address, you can just get (for example) 10 rows of data that match that IP.
WindowsFirewall | search "192.168" | limit 10
Results of Query 3 (I just show one row for clarity):
$table TenantId SourceSystem Computer TimeGenerated CommunicationDirection FirewallAction Protocol SourceIP DestinationIP RemoteIP SourcePort FullDestinationAddress DestinationPort RequestSizeInBytes Info MG TimeCollected ManagementGroupName MaliciousIP IndicatorThreatType Description TLPLevel Confidence Severity FirstReportedDateTime LastReportedDateTime IsActive ReportReferenceLink AdditionalInformation MaliciousIPLongitude MaliciousIPLatitude MaliciousIPCountry Type _ResourceId WindowsFirewall b438b4f6-912a-46d5-9cb1-b44069212abc OpsManager ContosoAppSrv1 2019-08-15T06:33:10Z SEND ALLOW ICMP 10.6.0.28 192.168.1.4 192.168.1.4 null 192.168.1.4 null null 00000000-0000-0000-0000-000000000001 2019-08-15T08:59:58.86Z AOI-b438b4f6-912a-46d5-9cb1-b44069212abc null null null WindowsFirewall /subscriptions/e4272367-5645-4c4e-9c67-3b74b59a6982/resourcegroups/contosoazurehq/providers/microsoft.compute/virtualmachines/contosoappsrv1 I can see 3 columns that have that data, you don't say what you want to do with it when found, maybe something like this, which filters on a particular column (DestinationIP) again improving the query execution?
WindowsFirewall | where DestinationIP == "192.168.1.4" | summarize count() by Computer
Run the above query from here: Go to Log Analytics and Run Query
- Mr_PBKACCopper Contributor
thank you for hyour help. The query can be simple and broad or granular. Also is there a default workspace associated withthe MS Azure security center widget. Where you can see all security alerts for your instance. Where are those logs stored? or is unique for each setup?