Forum Discussion

Copper Contributor

Oct 29, 2020

Solved

Watchlist and query

new to kql here, is it possible to build a query that search's across logs looking for machines that connected to any of ip addresses in the watchlist? Any examples ? Plan would be to turn that que...

GaryBushey
Oct 30, 2020
roadruner This is the starting query for something like that.

let ClearedIPAddresses=_GetWatchlist('test1');
CommonSecurityLog
| join ClearedIPAddresses on $left.SourceIP== $right.IPAddress

GaryBushey

Bronze Contributor

Oct 30, 2020

roadruner It will only search the one table.

There really is no way to search all tables for multiple values. There is the "search" command, https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator, that allows you to search for a single term although I do not know if this can be used in a Analytic rule or not.

roadruner

Copper Contributor

Oct 30, 2020

GaryBushey Hmm ok, thanks. How can i search one table? say CommonSecurityLog

I tried this but no dice.

CommonSecurityLog

let ClearedIPAddresses=_GetWatchlist('test1');
Heartbeat
| join ClearedIPAddresses on $left.ComputerIP == $right.IPAddress

GaryBushey
Bronze Contributor
Oct 30, 2020
roadruner This is the starting query for something like that.

let ClearedIPAddresses=_GetWatchlist('test1');
CommonSecurityLog
| join ClearedIPAddresses on $left.SourceIP== $right.IPAddress
- roadruner
  Copper Contributor
  Oct 30, 2020
  GaryBushey Thanks! This worked. Just replaced sourceip to destip. and .found the test hits to the list. either way works.