This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 15%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
¡Hello!
I'd like to know if there is a way to export the IP list of a low alert. (Traffic detected from IP addresses recommended for blocking)
¿Any query or from Log Analytics?
Attached example.
I understand that there is an option to export to .csv but it is not readable.
TY!
Hi @Alexis Salazar Núñez , what do you mean when you say the .CSV is not readable? Is the data not organized properly or is the file corrupted? Please let me know and I can help you further.
Best,
James
Hi @James Hamil , thanks for your question.
My goal is to download a list of IPs, to block or make a report, but when I download the .csv the data is not organized in such a way where I can download the list of malicious IPs
My question is, is there any way to debug so that I can see the list of IPs and not do it manually?
Regards,
The data is in a JSON array in the alert data. This can be found in the MDFC workspace in the SecurityAlert table. Here is a query to extract the IP list from all alerts. It could be paired with a logic app to take automated action on the list like updating the Sentinel or MDE indicators. It also has location data that will render nicely on a world map tile in a workbook.
SecurityAlert
| where DisplayName =="Traffic detected from IP addresses recommended for blocking"
| mv-expand todynamic(Entities)
| extend BadIP = Entities.Address
| where isnotempty(BadIP)
| extend Carrier = parse_json(tostring(Entities.Location)).Carrier
| extend City = parse_json(tostring(Entities.Location)).City
| extend CountryCode = parse_json(tostring(Entities.Location)).CountryCode
| extend CountryName = parse_json(tostring(Entities.Location)).CountryName
| extend Latitude = parse_json(tostring(Entities.Location)).Latitude
| extend Longitude = parse_json(tostring(Entities.Location)).Longitude
| extend Organization = parse_json(tostring(Entities.Location)).Organization
| extend State = parse_json(tostring(Entities.Location)).State
| project TimeGenerated, BadIP, Carrier, City, CountryName, CountryCode, Latitude, Longitude, Organization, State
Thank u Sr. @Andrew Blumhardt
I was working on a similar query (not advanced), but it's not my fortress, this query is perfect and useful for auditing.
It really is what I'm looking for.
In this query is it possible to know the affected resource and the port?
Regards.
This is as close as I could get tonight:
SecurityAlert
| where DisplayName =="Traffic detected from IP addresses recommended for blocking"
| mv-expand todynamic(Entities)
| extend BadIP = Entities.Address
| extend Port = Entities.DestinationPort
| extend Protocol = Entities.Protocol
| extend ResourceId = Entities.ResourceId
| where isnotempty(BadIP) or isnotempty(Port) or isnotempty(ResourceId)
| extend Carrier = parse_json(tostring(Entities.Location)).Carrier
| extend City = parse_json(tostring(Entities.Location)).City
| extend CountryCode = parse_json(tostring(Entities.Location)).CountryCode
| extend CountryName = parse_json(tostring(Entities.Location)).CountryName
| extend Latitude = parse_json(tostring(Entities.Location)).Latitude
| extend Longitude = parse_json(tostring(Entities.Location)).Longitude
| extend Organization = parse_json(tostring(Entities.Location)).Organization
| extend State = parse_json(tostring(Entities.Location)).State
| project TimeGenerated, BadIP, Port, Protocol, ResourceId, City, State, CountryName, CountryCode, Latitude, Longitude, Carrier, Organization
Are you getting a .txt file when you export? You're saying CSV but you uploaded a txt file so I wanted to confirm. I converted it to a csv and it was very unorganized. Please let me know because you should be getting a csv. Have you looked into importing the data into Azure Data Explorer?
Thanks for your follow up. @James Hamil
I will read about Azure Data Explorer.
Grateful for your help.