Forum Discussion

maheshtata's avatar
maheshtata
Copper Contributor
Oct 28, 2022

Run query for multiple IP

I am trying to run the query in the logic app for a security incident in sentinel. what I expect this query to do is give the  result of multiple IP associated with the incident.   SigninLogs |wh...
KQL
playbooks
siem
soar
mikhailf's avatar
mikhailf
Steel Contributor
Oct 29, 2022

Hello maheshtata ,

 

Could you please send the playbook itself?

A picture would be sufficient.

maheshtata's avatar
maheshtata
Copper Contributor
Oct 31, 2022

mikhailf 

 

Thank you for supporting 

  • mikhailf's avatar
    mikhailf
    Steel Contributor
    Oct 31, 2022
    If you have several IP addresses you should use "Array" instead of "Object".
    I would do something like the following: Run query -> From results of the query take IPs and append them to the Array of IPs.
    Then you will have the Array of IPs and will be able to use it (send an email, get virustotal results etc.)
    • maheshtata's avatar
      maheshtata
      Copper Contributor
      Oct 31, 2022
      if i move them to array then the query is not working

Resources