TechQA.

Kusto Query Language - Microsoft Defender IP Subnet Query

595 views Asked by At

Is there a way to query for IP ranges from the DeviceEvent table using IP subnet notation i.e. 1.1.1.0/24 vs. listing individual IPs 1.1.1.1?

Instead of list inididual IPs for

| where LocalIP == "1.1.1.1"

I would like to list subnet range "1.1.1.1 - 1.1.1.255" or "1.1.1.0/24"

kql microsoft365-defender
Original Q&A
1

There are 1 answers

0
David דודו Markovitz On 
datatable(LocalIP:string)["1.1.0.255", "1.1.1.0", "1.1.1.179", "1.1.1.255", "1.129.13.42", "2.0.0.0"]
| where ipv4_is_in_range(LocalIP, "1.1.1.0/24")
LocalIP
1.1.1.0
1.1.1.179
1.1.1.255

Fiddle

Related Questions in KQL

Related Questions in MICROSOFT365-DEFENDER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions