Query Details
Identity Parse IP Infofrom Security Alert
Query
//Query to parse IP information from Security Alerts
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where AlertName in ("Impossible travel activity", "Atypical Travel", "Anonymous IP address", "Anomalous Token")
| parse Entities with * 'AadUserId": "' aadid_ '",' *
| extend ep_ = parse_json(ExtendedProperties)
| extend s = tostring(ep_["IP Addresses"])
| extend ipv4_ = extract_all(@"(([\d]{1,3}\.){3}[\d]{1,3})", dynamic([1]), s)
| extend ipv4Add_ = translate('["]', '', tostring(ipv4_))
| extend ipv6_ = extract_all(@"(([\d|\w]{1,4}\:){7}[\d|\w]{1,4})", dynamic([1]), s)
| extend ipv6Add_ = translate('["]', '', tostring(ipv6_))
| project TimeGenerated, AlertName, ipv4Add_, ipv6Add_, CompromisedEntityExplanation
This query is used to extract IP information from Security Alerts. It filters the alerts based on specific alert names related to travel activity and IP addresses. It then parses the entities in the alerts to extract the AadUserId. It extends the ExtendedProperties field and converts it to a string. It extracts IPv4 and IPv6 addresses from the IP Addresses field and removes any unnecessary characters. Finally, it projects the TimeGenerated, AlertName, IPv4 addresses, IPv6 addresses, and CompromisedEntity fields.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
Keywords:SecurityAlert,AlertName,Entities,AadUserId,aadid_,ExtendedProperties,IPAddresses,ipv4_,ipv4Add_,ipv6_,ipv6Add_,TimeGenerated,CompromisedEntity.
Operators
whereinparsewithextendtostringextract_alldynamictranslateproject