cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Search Incidents for entries from an IP Range

CodnChips
Brass Contributor

‎Jan 26 2022 03:08 AM - edited ‎Jan 26 2022 03:15 AM

‎Jan 26 2022 03:08 AM - edited ‎Jan 26 2022 03:15 AM

Search Incidents for entries from an IP Range

Hi,

I'm trying to perform some retrospective investigations and would like to be able to list any Sentinel Incident that contained an entity from a specific IP range.

I'm not great at KQL, so trying to figure it out - any assistance\pointers would be greatly appreciated & educational!!  Many thanks

 

**I've found one of the example queries I'm going to try and butcher and see what happens.  Will update if I solve it :)

3,262 Views
0 Likes
7 Replies
Reply
7 Replies
Gary Bushey

‎Jan 26 2022 03:46 AM

‎Jan 26 2022 03:46 AM

Re: Search Incidents for entries from an IP Range

@CodnChips Take a look at the KQL function "ipv4_is_in_range" ipv4_is_in_range() - Azure Data Explorer | Microsoft Docs   and see if that will work for you.

1 Like
Reply
CodnChips

‎Jan 26 2022 03:51 AM

‎Jan 26 2022 03:51 AM

Re: Search Incidents for entries from an IP Range

Hey Gary, thanks for your response.
Yes, I've stumbled across that and am trying to mash that up with the built in query for "Alerts involving a user" - but replacing the "user bits" with the IP address\host\entity
0 Likes
Reply
Clive_Watson

‎Jan 26 2022 03:52 AM

‎Jan 26 2022 03:52 AM

Re: Search Incidents for entries from an IP Range

@CodnChips 

 

let rangeToCheck = "10.20.60.1/24";
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend Entity = tostring(AlertEntities.Address)
| extend EntityType = tostring(AlertEntities.Type)
| distinct Entity, EntityType
| extend inRange = ipv4_is_in_range(Entity, rangeToCheck)

Amend line #1 to put the range you are looking for, gives you a true/false

Clive_Watson_0-1643197941991.png

 


 

1 Like
Reply
CodnChips

‎Jan 26 2022 04:52 AM - edited ‎Jan 26 2022 04:52 AM

‎Jan 26 2022 04:52 AM - edited ‎Jan 26 2022 04:52 AM

Re: Search Incidents for entries from an IP Range

Hi @Clive_Watson,
Thankyou very much for your code example - this is fantastic and educational.
I'd like to bolt on to this, the incident number & Title that the entity featured in.
Would I need to use a join - like this? (Not my code - taken from the pre-loaded queries):
AlertEvidence
| join AlertInfo on AlertId
| project Timestamp, AlertId, Title, Category , Severity , ServiceSource , DetectionSource , AttackTechniques

0 Likes
Reply
best response confirmed by CodnChips (Brass Contributor)
Clive_Watson

‎Jan 26 2022 05:26 AM

‎Jan 26 2022 05:26 AM

Solution

Re: Search Incidents for entries from an IP Range

@CodnChips 

let rangeToCheck = "10.0.0.1/24";
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
    | extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName
2 Likes
Reply
CodnChips

‎Jan 26 2022 05:31 AM

‎Jan 26 2022 05:31 AM

Re: Search Incidents for entries from an IP Range

I reckon I'm in the wrong schema - going to try this one:
SecurityIncident

https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
0 Likes
Reply
CodnChips

‎Jan 26 2022 05:34 AM

‎Jan 26 2022 05:34 AM

Re: Search Incidents for entries from an IP Range

WOOOAH - You've done it!!
That's is AMZING @Clive_Watson!!
Thanks so much - I will learn where I was going wrong (Everywhere!! :):):) )
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by CodnChips (Brass Contributor)
Clive_Watson

‎Jan 26 2022 05:26 AM

‎Jan 26 2022 05:26 AM

Solution

Re: Search Incidents for entries from an IP Range

@CodnChips 

let rangeToCheck = "10.0.0.1/24";
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
    | extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName

View solution in original post

2 Likes
Reply