KQL Search

Query Details

HomeAI ToolsDevice Query

MDA IP Address Type

Query

CloudAppEvents
| where isnotempty(IPAddress)
| summarize count() by IPCategory
| extend IPCategory = iff(isempty(IPCategory),IPCategory="Normal",IPCategory)

Explanation

This KQL (Kusto Query Language) query is analyzing data from a table called CloudAppEvents. Here's a breakdown of what it does, in simple terms:

  1. Filter for Non-Empty IP Addresses: It starts by filtering the data to include only those records where the IPAddress field is not empty.

  2. Count Events by IP Category: It then groups these filtered records by the IPCategory field and counts the number of events in each category.

  3. Handle Empty IP Categories: After counting, it checks if any of the IPCategory values are empty. If an IPCategory is empty, it assigns the value "Normal" to it.

In summary, this query is counting the number of cloud application events for each IP category, ensuring that any events without a specified IP category are labeled as "Normal".

Details

Jay Kerai profile picture

Jay Kerai

Released: October 2, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsIPAddressIPCategory

Operators

whereisnotemptysummarizecountbyextendiffisempty

Actions