Forum Discussion
how to exclude ip along with port
Hi Team, I have created one rule and want to exclude 2 destination ip along with port destination port 445. how it will write ? Below is my query let deviceIP = (_GetWatchlist('qwe') | projec...
You'll probably need to join the data - to build a list of the IPs with that port, then join it to the IP that dont - something like this (which is an untested example)
// Exclude these
CommonSecurityLog
| where DestinationPort != "445" and DestinationIP !in ('1.1.1.1','2.2.2.2')
| summarize arg_max(TimeGenerated,DestinationIP, DestinationPort) by Computer
// join to all the data without the excluded records
| join kind= rightouter
(
CommonSecurityLog
| summarize arg_max(TimeGenerated,DestinationIP, DestinationPort) by Computer
) on Computer