Forum Discussion
Sentinel Query error
Hello, Does anyone know how to assign variable with network:string if we are using watchlist with CIDR. I am getting below error. let subnets = (_GetWatchlist('TorrentList')|project SearchK...
There are examples in the Github:
https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=ipv4_lookup
You need a table and the network data has to be in that Table or the watchlist - this rough example fakes the network info but relies and adds a Table (this is made up, but shows you how I hope)
let network='1.1.1.1/32';
let subnets = (_GetWatchlist('ipa')|project SearchKey);
AzureActivity
| evaluate ipv4_lookup(subnets, CallerIpAddress, network, return_unmatched = true)
| where isempty(network)
https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=ipv4_lookup
You need a table and the network data has to be in that Table or the watchlist - this rough example fakes the network info but relies and adds a Table (this is made up, but shows you how I hope)
let network='1.1.1.1/32';
let subnets = (_GetWatchlist('ipa')|project SearchKey);
AzureActivity
| evaluate ipv4_lookup(subnets, CallerIpAddress, network, return_unmatched = true)
| where isempty(network)