Forum Discussion
KQL to extract IP addresses from SecurityAlerts
Good stuff ! I modified the query a bit. I think it gets the same results. Also I use distinct just to grab unique IPs. I think that what you were trying to achieve with the summarize make set.
If you run a "| count" you can see the difference.
SecurityAlert
// First get lists of unique IP addresses from the Extended Properties
| project IPs = tostring(parse_json(ExtendedProperties)["IP Addresses"])
| extend IPs = split(IPs,",") | mv-expand IPs
| where isnotempty(IPs) | distinct tostring(IPs) // get only unique IPs
| union (SecurityAlert // join to Entities IP pool
| mv-expand parse_json(Entities)
| project IPs = Entities["Address"]
| where isnotempty(IPs) | distinct tostring(IPs)) // get only unique IPs
| order by IPs
| count
Good stuff ! I modified the query a bit. I think it gets the same results. Also I use distinct just to grab unique IPs. I think that what you were trying to achieve with the summarize make set.
If you run a "| count" you can see the difference.
SecurityAlert
// First get lists of unique IP addresses from the Extended Properties
| project IPs = tostring(parse_json(ExtendedProperties)["IP Addresses"])
| extend IPs = split(IPs,",") | mv-expand IPs
| where isnotempty(IPs) | distinct tostring(IPs) // get only unique IPs
| union (SecurityAlert // join to Entities IP pool
| mv-expand parse_json(Entities)
| project IPs = Entities["Address"]
| where isnotempty(IPs) | distinct tostring(IPs)) // get only unique IPs
| order by IPs
| count
