The data is in a JSON array in the alert data. This can be found in the MDFC workspace in the SecurityAlert table. Here is a query to extract the IP list from all alerts. It could be paired with a logic app to take automated action on the list like updating the Sentinel or MDE indicators. It also has location data that will render nicely on a world map tile in a workbook.
SecurityAlert
| where DisplayName =="Traffic detected from IP addresses recommended for blocking"
| mv-expand todynamic(Entities)
| extend BadIP = Entities.Address
| where isnotempty(BadIP)
| extend Carrier = parse_json(tostring(Entities.Location)).Carrier
| extend City = parse_json(tostring(Entities.Location)).City
| extend CountryCode = parse_json(tostring(Entities.Location)).CountryCode
| extend CountryName = parse_json(tostring(Entities.Location)).CountryName
| extend Latitude = parse_json(tostring(Entities.Location)).Latitude
| extend Longitude = parse_json(tostring(Entities.Location)).Longitude
| extend Organization = parse_json(tostring(Entities.Location)).Organization
| extend State = parse_json(tostring(Entities.Location)).State
| project TimeGenerated, BadIP, Carrier, City, CountryName, CountryCode, Latitude, Longitude, Organization, State