Sentinel Query error

Copper Contributor

Hello,

 

Does anyone know how to assign variable with network:string if we are using watchlist with CIDR.  I am getting below error. 

 

let subnets = (_GetWatchlist('TorrentList')|project SearchKey);

| evaluate ipv4_lookup(subnets, IPAddress, network, return_unmatched = true)
| where isempty(network)

 

Error:

'evaluate' operator: Failed to resolve column or scalar expression named 'network'

 

Thanks a ton!!

2 Replies
There are examples in the Github:
https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=ipv4_lookup

You need a table and the network data has to be in that Table or the watchlist - this rough example fakes the network info but relies and adds a Table (this is made up, but shows you how I hope)

let network='1.1.1.1/32';
let subnets = (_GetWatchlist('ipa')|project SearchKey);
AzureActivity
| evaluate ipv4_lookup(subnets, CallerIpAddress, network, return_unmatched = true)
| where isempty(network)
One more example if you want to use a watchlist: https://cryptsus.com/blog/enrich-geolocation-sentinel-siem.html