Azure 从查询中筛选出ip地址
我使用以下查询查看VM的入站连接:Azure 从查询中筛选出ip地址,azure,azure-log-analytics,azure-data-explorer,Azure,Azure Log Analytics,Azure Data Explorer,我使用以下查询查看VM的入站连接: // the machines of interest let ips=materialize(ServiceMapComputer_CL | summarize ips=makeset(todynamic(Ipv4Addresses_s)) by MonitoredMachine=ResourceName_s | mvexpand ips to typeof(string)); let StartDateTime = datetime(2020-07-01T
// the machines of interest
let ips=materialize(ServiceMapComputer_CL
| summarize ips=makeset(todynamic(Ipv4Addresses_s)) by MonitoredMachine=ResourceName_s
| mvexpand ips to typeof(string));
let StartDateTime = datetime(2020-07-01T00:00:00Z);
let EndDateTime = datetime(2021-01-01T01:00:00Z);
VMConnection
| where Direction == 'inbound'
| where TimeGenerated > StartDateTime and TimeGenerated < EndDateTime
| join kind=inner (ips) on $left.DestinationIp == $right.ips
| summarize sum(LinksEstablished) by Computer, Direction, SourceIp, DestinationIp, DestinationPort, RemoteDnsCanonicalNames, Protocol
//感兴趣的机器
让ips=具体化(ServiceMapComputer\u CL
|通过MonitoredMachine=ResourceName总结ips=makeset(todynamic(Ipv4Addresses)
|mvips扩展到typeof(string));
让StartDateTime=datetime(2020-07-01T00:00:00Z);
设EndDateTime=datetime(2021-01-01T01:00:00Z);
VMConnection
|其中方向==“入站”
|其中TimeGenerated>StartDateTime和TimeGenerated有几个ip地址,我想过滤掉,因为他们是无用的,可能会混淆。关于如何从结果ip地址(如10.30.0.0/20和10.40.0.0/25)中筛选出来的提示?不太清楚输入数据的外观以及如何定义要筛选出来的ip。 因此,下面的答案是让您开始:
let ServiceMapComputer_CL = datatable(Ipv4Addresses_s:string, ResourceName_s:string)
[
'10.0.30.0/20', 'a',
'10.40.0.0/25', 'a',
'11.1.30.0/20', 'b', // only record that will be left
];
ServiceMapComputer_CL
| where not(ipv4_is_match(Ipv4Addresses_s, '10.0.30.0') or ipv4_is_match(Ipv4Addresses_s, '10.40.0.0'))
| distinct Ipv4Addresses_s, ResourceName_s