Run query for multiple IP

Copper Contributor

I am trying to run the query in the logic app for a security incident in sentinel.

what I expect this query to do is give the  result of multiple IP associated with the incident.

 

SigninLogs

|where UserPrincipalName contains "Account Name" and IPaddress =="A list of IPs associated with the alert "  and DeviceDetails.isCompliant == True

|summarize by UserPrincalName,IPAddress,tostring(DeviceDetail)

 

Error:

ExpressionEvaluationFailed. The execution of template action 'For_each_3' failed: the result of the evaluation of 'foreach' expression '@body('Entities_-_Get_IPs')' is of type 'Object'. The result must be a valid array.

 

 

4 Replies

Hello @maheshtata ,

 

Could you please send the playbook itself?

A picture would be sufficient.

@mikhailf 

 

Thank you for supporting 

If you have several IP addresses you should use "Array" instead of "Object".
I would do something like the following: Run query -> From results of the query take IPs and append them to the Array of IPs.
Then you will have the Array of IPs and will be able to use it (send an email, get virustotal results etc.)
if i move them to array then the query is not working