SOLVED

Search Incidents for entries from an IP Range

%3CLINGO-SUB%20id%3D%22lingo-sub-3072435%22%20slang%3D%22en-US%22%3ESearch%20Incidents%20for%20entries%20from%20an%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072435%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20perform%20some%20retrospective%20investigations%20and%20would%20like%20to%20be%20able%20to%20list%20any%20Sentinel%20Incident%20that%20contained%20an%20entity%20from%20a%20specific%20IP%20range.%3C%2FP%3E%3CP%3EI'm%20not%20great%20at%20KQL%2C%20so%20trying%20to%20figure%20it%20out%20-%20any%20assistance%5Cpointers%20would%20be%20greatly%20appreciated%20%26amp%3B%20educational!!%26nbsp%3B%20Many%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072452%22%20slang%3D%22en-US%22%3ERe%3A%20Search%20Incidents%20for%20entries%20from%20an%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072452%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1287382%22%20target%3D%22_blank%22%3E%40CodnChips%3C%2FA%3E%26nbsp%3BTake%20a%20look%20at%20the%20KQL%20function%20%22ipv4_is_in_range%22%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fipv4-is-in-range-function%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eipv4_is_in_range()%20-%20Azure%20Data%20Explorer%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3B%20%26nbsp%3Band%20see%20if%20that%20will%20work%20for%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

I'm trying to perform some retrospective investigations and would like to be able to list any Sentinel Incident that contained an entity from a specific IP range.

I'm not great at KQL, so trying to figure it out - any assistance\pointers would be greatly appreciated & educational!!  Many thanks

 

**I've found one of the example queries I'm going to try and butcher and see what happens.  Will update if I solve it :)

7 Replies

@CodnChips Take a look at the KQL function "ipv4_is_in_range" ipv4_is_in_range() - Azure Data Explorer | Microsoft Docs   and see if that will work for you.

Hey Gary, thanks for your response.
Yes, I've stumbled across that and am trying to mash that up with the built in query for "Alerts involving a user" - but replacing the "user bits" with the IP address\host\entity

@CodnChips 

 

let rangeToCheck = "10.20.60.1/24";
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend Entity = tostring(AlertEntities.Address)
| extend EntityType = tostring(AlertEntities.Type)
| distinct Entity, EntityType
| extend inRange = ipv4_is_in_range(Entity, rangeToCheck)

Amend line #1 to put the range you are looking for, gives you a true/false

Clive_Watson_0-1643197941991.png

 


 

Hi @Clive_Watson,
Thankyou very much for your code example - this is fantastic and educational.
I'd like to bolt on to this, the incident number & Title that the entity featured in.
Would I need to use a join - like this? (Not my code - taken from the pre-loaded queries):
AlertEvidence
| join AlertInfo on AlertId
| project Timestamp, AlertId, Title, Category , Severity , ServiceSource , DetectionSource , AttackTechniques

best response confirmed by CodnChips (Contributor)
Solution

@CodnChips 

let rangeToCheck = "10.0.0.1/24";
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
    | extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName
I reckon I'm in the wrong schema - going to try this one:
SecurityIncident

https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
WOOOAH - You've done it!!
That's is AMZING @Clive_Watson!!
Thanks so much - I will learn where I was going wrong (Everywhere!! :):):) )