Forum Discussion
Watchlist search all tables for IP
Hi,
I have a watchlist with 50 IP address. I would need help to search the IPs in all tables regardless of the column in my L.A.W
Please help me with the KQL Query
4 Replies
- try this let tables = search * | where TimeGenerated >= ago(2s); watchlist_IP | where ipAddress in (tables)
- there are some issues with watchlist_IP can you check
let tables = search *
| where TimeGenerated >= ago(2s);
watchlist_IP
| where ipAddress in (tables) - hi having some syntax issues , can you put it line by line
sulaimanncs915 sulaimanncs915 Sentinel has a query timeout limit of 10 minutes. Depending on your table size, you MAY be successful in executing the search() query. I believe you are doing IoC search, so if there are multiple hits for your IP and the table size is bigger then there will be a performance hit and your query may timeout as well
I would suggest to narrow down on every table which column has the data you want to look up and then perform the search on those columns. Basically you can have one main function and then subfunctions within it running the search for the individual tables
Check the following post:
https://techcommunity.microsoft.com/t5/microsoft-sentinel/kql-query-for-match-ioc-from-watchlist/m-p/3213168
