KQL Search

Query Details

Risky IP Activities

Query

# Detect risky IP activities

### Defender For Endpoint

```
CloudAppEvents
| where IPCategory == "Risky"
| project Timestamp, ActionType, IPAddress, IPCategory, ISP, RawEventData
```
### Sentinel
```
CloudAppEvents
| where IPCategory == "Risky"
| project TimeGenerated, ActionType, IPAddress, IPCategory, ISP, RawEventData
```

Explanation

This query is used to detect risky IP activities in both Defender for Endpoint and Sentinel. It filters the CloudAppEvents data based on the IPCategory field being "Risky" and then projects specific fields such as Timestamp/TimeGenerated, ActionType, IPAddress, IPCategory, ISP, and RawEventData.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

CloudAppEvents,IPCategory,Timestamp,ActionType,IPAddress,ISP,RawEventData,TimeGenerated

Operators

where==project

KQL Search

Risky IP Activities

Query

Explanation

Details

Actions