changing equality for ip addresses

2020-03-24 17:05:57 +02:00 · 2020-03-24 17:05:57 +02:00 · a450982b05
--- a/Queries/InputEntity_IP/IP2Account_byAccountAzureActivityLeast.yaml
+++ b/Queries/InputEntity_IP/IP2Account_byAccountAzureActivityLeast.yaml
@ -18,7 +18,7 @@ query: |

  let AccountActivity_byIP = (v_IP_Address:string){
  AzureActivity
-  | where Caller != '' and CallerIpAddress == v_IP_Address
+  | where Caller != '' and CallerIpAddress =~ v_IP_Address
  | summarize Account_Aux_StartTime = min(TimeGenerated), 
    Account_Aux_EndTime = max(TimeGenerated), 
    Count = count() by 
--- a/Queries/InputEntity_IP/IP2Account_byAccountAzureActivityMost.yaml
+++ b/Queries/InputEntity_IP/IP2Account_byAccountAzureActivityMost.yaml
@ -18,7 +18,7 @@ query: |

  let AccountActivity_byIP = (v_IP_Address:string){
  AzureActivity
-  | where Caller != '' and CallerIpAddress == v_IP_Address
+  | where Caller != '' and CallerIpAddress =~ v_IP_Address
  | summarize Account_Aux_StartTime = min(TimeGenerated), 
    Account_Aux_EndTime = max(TimeGenerated), 
    Count = count() by 
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml
@ -20,7 +20,7 @@ query: |
  WireData
  | parse Computer with HostName '.' Host_DnsDomain
  | where SessionState == 'Disconnected' 
-  | where RemoteIP == v_IP_Address
+  | where RemoteIP =~ v_IP_Address
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
  | top 10 by Host_Aux_BytesReceived asc nulls last
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
@ -20,7 +20,7 @@ query: |
  WireData
  | parse Computer with HostName '.' Host_DnsDomain
  | where SessionState == 'Disconnected'
-  | where RemoteIP == v_IP_Address
+  | where RemoteIP =~ v_IP_Address
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
  | top 10 by Host_Aux_BytesReceived desc nulls last
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml
@ -19,7 +19,7 @@ query: |
  let HostsSendingDatatoIP = (v_IP_Address:string){
  WireData
  | where SessionState == 'Disconnected' 
-  | where RemoteIP == v_IP_Address
+  | where RemoteIP =~ v_IP_Address
  | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
  | parse Computer with HostName '.' Host_DnsName
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml
@ -19,7 +19,7 @@ query: |
  let HostsSendingDatatoIP = (v_IP_Address:string){
  WireData
  | where SessionState == 'Disconnected' 
-  | where RemoteIP == v_IP_Address
+  | where RemoteIP =~ v_IP_Address
  | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
  | parse Computer with HostName '.' Host_DnsName
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
--- a/Queries/InputEntity_IP/IP2IP_IPsWithMostDROPs.yaml
+++ b/Queries/InputEntity_IP/IP2IP_IPsWithMostDROPs.yaml
@ -20,7 +20,7 @@ query: |
  let MostDroppedDestIP = (v_IP_Address:string){
  WindowsFirewall
  | where FirewallAction == 'DROP'
-    and SourceIP   == v_IP_Address
+    and SourceIP =~ v_IP_Address
  | summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP
  | sort by array_length(Ports), DropCount
  | serialize rn=row_number()
--- a/Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml
+++ b/Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml
@ -19,7 +19,7 @@ query: |
  let MostDroppedSourceIP = (v_IP_Address:string){
  WindowsFirewall
  | where FirewallAction == 'DROP'
-    and DestinationIP   == v_IP_Address
+    and DestinationIP =~ v_IP_Address
  | summarize IP_Aux_DropCount = count(), DestPorts = makeset(DestinationPort) by SourceIP
  | sort by IP_Aux_DropCount
  | serialize rn=row_number()
--- a/Queries/InputEntity_IP/IpAddress_AccountLogons.yaml
+++ b/Queries/InputEntity_IP/IpAddress_AccountLogons.yaml
@ -19,7 +19,7 @@ query: |

  let GetAllAccountByIP = (v_IP_Address:string){
  OfficeActivity 
-  | where ClientIP == v_IP_Address
+  | where ClientIP =~ v_IP_Address
  | extend info = pack('ClientIP', ClientIP, 'UserType', UserType, 'Operation', Operation, 'OfficeWorkload', OfficeWorkload, 'ResultStatus', ResultStatus)
  | summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId
  | project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info