Query Details
Client IP Malfunction
Query
// ClientIP is starting to show private IP addresses for OfficeWorkloads OneDrive and SharePoint, information is being lost.
OfficeActivity
| where TimeGenerated between (ago(90d) .. now())
| where isnotempty(ClientIP)
| extend
IsPrivateRange = isnotempty(parse_ipv4(ClientIP)) and ipv4_is_private(ClientIP),
IsTenSixtyRange = isnotempty(parse_ipv4(ClientIP)) and ipv4_is_in_any_range(ClientIP, "10.60.0.0/16")
| where IsPrivateRange
| summarize log(count()) by bin(TimeGenerated, 1d), OfficeWorkload
| render columnchart
Explanation
The query is looking at OfficeActivity data over the past 90 days and checking for private IP addresses in the ClientIP field for OneDrive and SharePoint. It then summarizes the count of occurrences by day and OfficeWorkload and displays it in a column chart.
Details
Jose Sebastián Canós
Released: July 23, 2024
Tables
OfficeActivity
Keywords
ClientIP,OfficeActivity,TimeGenerated,IsPrivateRange,parse_ipv4,ipv4_is_private,IsTenSixtyRange,ipv4_is_in_any_range,OfficeWorkload.
Operators
whereisnotemptyextendandipv4_is_privateparse_ipv4ipv4_is_in_any_rangesummarizebybinrender