TechQA.

Error getting results on KQL using ipv4_lookup and watchlist functions

114 views Asked by At

I run a KQL search to enrich with some network tagging from a watchlist and then use it to filter out the results, based in all Microsoft documentation, code ir right, but results are wrong

let subnets = (_GetWatchlist('NetworkHierarchy')| where GROUP in ("Zscaler")|project CIDR, GROUP);
let Query =
SigninLogs
| where TimeGenerated >= ago(timeFrame);
Query
| evaluate ipv4_lookup(subnets, IPAddress, CIDR, return_unmatched = true)
| where isempty(CIDR)

I get results of the main "query" but aren't enriched, one example is a result from 165.225.208.47 IP address when I have the entire 165.225.0.0/16 block on that Watchlist

I tried a lot of variations but seems is unable to match, I have only 5K entries in that watchlist, similiar like

watchlist_content

kql azure-sentinel
Original Q&A
1

There are 1 answers

1
Gyp the Cat On

I may be way off the mark here, and apologies if so. But have you tried materialize on the watchlist?

let subnets = materialize(_GetWatchlist('NetworkHierarchy')| where GROUP in ("Zscaler")|project CIDR, GROUP);
let Query =
SigninLogs
| where TimeGenerated >= ago(timeFrame);
Query
| evaluate ipv4_lookup(subnets, IPAddress, CIDR, return_unmatched = true)
| where isempty(CIDR)

Related Questions in KQL

Related Questions in AZURE-SENTINEL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions