Forum Discussion

Greesh_0786's avatar
Greesh_0786
Copper Contributor
May 25, 2022

Sentinel Query error

Hello,

 

Does anyone know how to assign variable with network:string if we are using watchlist with CIDR.  I am getting below error. 

 

let subnets = (_GetWatchlist('TorrentList')|project SearchKey);

| evaluate ipv4_lookup(subnets, IPAddress, network, return_unmatched = true)
| where isempty(network)

 

Error:

'evaluate' operator: Failed to resolve column or scalar expression named 'network'

 

Thanks a ton!!

2 Replies

  • krabelize's avatar
    krabelize
    Copper Contributor
    Oct 31, 2022
    One more example if you want to use a watchlist: https://cryptsus.com/blog/enrich-geolocation-sentinel-siem.html
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    May 26, 2022
    There are examples in the Github:
    https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=ipv4_lookup

    You need a table and the network data has to be in that Table or the watchlist - this rough example fakes the network info but relies and adds a Table (this is made up, but shows you how I hope)

    let network='1.1.1.1/32';
    let subnets = (_GetWatchlist('ipa')|project SearchKey);
    AzureActivity
    | evaluate ipv4_lookup(subnets, CallerIpAddress, network, return_unmatched = true)
    | where isempty(network)