Forum Discussion
eladfe
Jul 24, 2022Copper Contributor
help in kql query
hay
I have a list of IP's and i want to check each one of them exist in the dns of the network adapter .
So for one address this is fine:
DeviceNetworkInfo
| where DnsAddresses contains "192.168.1.1"
but what to do if i have a list of IP's and i want to check each one of them?
Thanks
- Rod_TrentMicrosoft
A couple options...
- Use the KQL let statement
- Use the externaldata operator (https://rodtrent.com/d9f)
- Use a Watchlist
Both let statement and Watchlist covered here: https://rodtrent.com/fsb
- yongrheemsftMicrosoftHi eladfe,
Additionally, we have a nice list of Advanced Hunting (AH) samples here: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries and Azure Sentinel, has Advanced Hunting query samples here: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries
Thanks,
Yong Rhee - MSFT