Run query for multiple IP

Question

I am trying to run the query in the logic app for a security incident in sentinel.

what I expect this query to do is give the result of multiple IP associated with the incident.

SigninLogs

|where UserPrincipalName contains "Account Name" and IPaddress =="A list of IPs associated with the alert " and DeviceDetails.isCompliant == True

|summarize by UserPrincalName,IPAddress,tostring(DeviceDetail)

Error:

ExpressionEvaluationFailed. The execution of template action 'For_each_3' failed: the result of the evaluation of 'foreach' expression '@body('Entities_-_Get_IPs')' is of type 'Object'. The result must be a valid array.

mikhailf · Answer

Hello&nbsp;maheshtata&nbsp;,&nbsp;Could you please send the playbook itself?A picture would be sufficient.

maheshtata · Answer

mikhailf&nbsp;&nbsp;Thank you for supporting&nbsp;

mikhailf · Answer

If you have several IP addresses you should use "Array" instead of "Object".
I would do something like the following: Run query -> From results of the query take IPs and append them to the Array of IPs.
Then you will have the Array of IPs and will be able to use it (send an email, get virustotal results etc.)

maheshtata · Answer

if i move them to array then the query is not working

Forum Discussion

Run query for multiple IP

Share

Resources