cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Working with watchlists and ipv4_is_in_any_range() to exclude results from query

ben_loy
Copper Contributor

‎Sep 13 2022 04:33 AM - edited ‎Sep 13 2022 05:01 AM

‎Sep 13 2022 04:33 AM - edited ‎Sep 13 2022 05:01 AM

Working with watchlists and ipv4_is_in_any_range() to exclude results from query

Hello!

I am struggling with using watchlists as a blacklist. 

 

This is my query:

 

let list = _GetWatchlist('blacklistedSegments')
| summarize make_list(segment);
SigninLogs
| where ipv4_is_in_any_range(IPAddress, list); //throws an error

 

 

This is my Watchlist named "blacklistedSegments" -  one column named "segment":

segment
1.2.0.0/16
3.4.0.0/16

 

I am trying to create a query in which sign-in logs from black listed IPs are returned. 

 

The problem is that I get the following error :

ben_loy_0-1663068450503.png

This is probably because make_list() returns an array while the ipv4 method expects a value. 

Can anyone suggest the correct KQL way of achieving the above? 
Any suggestion will be highly appreciated!

Thanks in advance.

Ben

 

3,919 Views
0 Likes
5 Replies
Reply
5 Replies
Clive_Watson

‎Sep 13 2022 05:12 AM

‎Sep 13 2022 05:12 AM

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

You could probably, use project rather than summarize or Distinct?

let list = _GetWatchlist("....") | project SearchKey

or there is a Dynamic option, which I've not tried with a Watchlist: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-any-range-function

e.g.

ipv4_is_in_any_range("127.0.0.1", dynamic([segment])) == true


0 Likes
Reply
ben_loy

‎Sep 13 2022 05:47 AM

‎Sep 13 2022 05:47 AM

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

@Clive_Watson 

Thanks for replying.

 

Unfortunately Project and Distinct throw the same error. 

 

The docs say that the method expect a dynamic array:

ben_loy_0-1663073237254.png

 

and make_list() returns exactly that:

ben_loy_1-1663073334071.png

 

Maybe there are some subtleties I miss?

0 Likes
Reply
best response confirmed by ben_loy (Copper Contributor)
Clive_Watson

‎Sep 13 2022 08:19 AM

‎Sep 13 2022 08:19 AM

Solution

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

@ben_loy 

 

This example works for me

let list = toscalar(_GetWatchlist('...........')
| summarize make_list(SearchKey));
AzureActivity
| where ipv4_is_in_any_range(tostring(CallerIpAddress), list)

 

Clive_Watson_1-1663082100124.png

 

 

2 Likes
Reply
Come_on

‎Feb 20 2023 10:45 AM

‎Feb 20 2023 10:45 AM

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

This work great. Any thoughts on if I want to exclude the IP address in the watchlist from my query?
0 Likes
Reply
Clive_Watson

‎Feb 20 2023 11:13 AM

‎Feb 20 2023 11:13 AM

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

Something like this (not tested)?

| where not(ipv4_is_in_any_range(tostring(CallerIpAddress), list))
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by ben_loy (Copper Contributor)
Clive_Watson

‎Sep 13 2022 08:19 AM

‎Sep 13 2022 08:19 AM

Solution

Re: Working with watchlists and ipv4_is_in_any_range() to exclude results from query

@ben_loy 

 

This example works for me

let list = toscalar(_GetWatchlist('...........')
| summarize make_list(SearchKey));
AzureActivity
| where ipv4_is_in_any_range(tostring(CallerIpAddress), list)

 

Clive_Watson_1-1663082100124.png

 

 

View solution in original post

2 Likes
Reply