← Back to Explore
kqlHunting
Zscalar IP Sign-in Check
Experimental, query needs optimization.
Detection Query
//Experimental, query needs optimization.
let Zscaler = externaldata (prefixes: dynamic) [@'https://config.zscaler.com/api/zscaler.net/future/json'] with (format=json, ignoreFirstRecord=True)
//| mv-expand prefixes
//| summarize by ZscalerIP= tostring(prefixes)
| extend Dummy = 1;
SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == 0
| extend Dummy = 1
| join kind=fullouter Zscaler on Dummy //map every sign-in to all zscaler Ips
| where ipv4_is_in_any_range(IPAddress, prefixes)
| project-away prefixesData Sources
SigninLogs
Platforms
azure-ad
Tags
entra
Raw Content
//Experimental, query needs optimization.
let Zscaler = externaldata (prefixes: dynamic) [@'https://config.zscaler.com/api/zscaler.net/future/json'] with (format=json, ignoreFirstRecord=True)
//| mv-expand prefixes
//| summarize by ZscalerIP= tostring(prefixes)
| extend Dummy = 1;
SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == 0
| extend Dummy = 1
| join kind=fullouter Zscaler on Dummy //map every sign-in to all zscaler Ips
| where ipv4_is_in_any_range(IPAddress, prefixes)
| project-away prefixes