Search Incidents for entries from an IP Range

Hi, I'm trying to perform some retrospective investigations and would like to be able to list any Sentinel Incident that contained an entity from a specific IP range. I'm not great at KQL, so tryin...

Clive_Watson

Jan 26, 2022

CodnChips

let rangeToCheck = "10.0.0.1/24";
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
    | extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName

Forum Discussion

Search Incidents for entries from an IP Range

Resources