Query Details
AWS Public IP Addedto Instance
Query
//Query to find public IP addresses associated to AWS instances AWSCloudTrail | where EventName has "AllocateAddress" | extend IPAssigned = tostring(parse_json(ResponseElements).publicIp) | extend AllocationID = tostring(parse_json(ResponseElements).allocationId) | project TimeGenerated, UserIdentityArn, UserIdentityAccountId, IPAssigned, AllocationID
Explanation
This query searches for public IP addresses that are associated with AWS instances. It uses the AWSCloudTrail table and filters for events with the name "AllocateAddress". It then extracts the public IP address and allocation ID from the response elements, and selects the time generated, user identity ARN, user identity account ID, IP address, and allocation ID for the final result.
Details
Matt Zorich
Released: August 10, 2021
Tables
AWSCloudTrail
Keywords
AWSCloudTrail,EventName,AllocateAddress,IPAssigned,AllocationID,TimeGenerated,UserIdentityArn,UserIdentityAccountId
Operators
wherehasextendtostringparse_jsonproject