Forum Discussion

ashishrajsrivastava's avatar
ashishrajsrivastava
MCT
Feb 15, 2022

How to compare a array values in a column against another array from a watchlist in Kusto

I am getting results with a column named IPAddresses having values in array. I want to compare each value in this array to a list (another array from a watch list). I have been trying to make use of ...
Azure Sentinel
ashishrajsrivastava's avatar
ashishrajsrivastava
MCT
Feb 15, 2022
Let me try this, I do remember trying union but not sure if I did finish till the comparison.
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Feb 15, 2022

ashishrajsrivastava

 

I had a similar task recently, and it's still a work in progress - its simplified compared to yours to get to the main task. 

//watchlist array
let ZSwatchlist = (_GetWatchlist('ipa')
    | project SearchKey 
    | summarize zlist = make_list(SearchKey));
let users = (
    // Get IP addresses for a named Table and make as an array
    AWSVPCFlow
    | where TimeGenerated > ago(30d)
    | where isnotempty(SrcAddr)
    // testing - there is a point when too many IPs fills the array, keep it small 
    | limit 1048
    | summarize IPAddresses = make_set(SrcAddr)
);
union users, ZSwatchlist
| project IPAddresses ,tostring(zlist)
| mv-apply ipscaler=IPAddresses to typeof(string) on
    (
        where not(ipv4_is_in_range(ipscaler,zlist))
    )

 

  • ashishrajsrivastava's avatar
    ashishrajsrivastava
    MCT
    Feb 16, 2022
    Trying exactly this. Does not throw a terminal error but does not show valid results either. Trying to tweak it further.

Resources