cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

help in kql query

eladfe
Copper Contributor

‎Jul 24 2022 05:59 AM

‎Jul 24 2022 05:59 AM

help in kql query

hay

I have a list of IP's and i want to check each one of them exist in the dns of the network adapter .

So for one address this is fine:

DeviceNetworkInfo
| where DnsAddresses  contains "192.168.1.1"
but what to do if i have a list of IP's and i want to check each one of them? 
Thanks

 

725 Views
0 Likes
2 Replies
Reply
2 Replies
Rod_Trent

‎Jul 25 2022 05:05 AM - edited ‎Jul 25 2022 05:06 AM

‎Jul 25 2022 05:05 AM - edited ‎Jul 25 2022 05:06 AM

Re: help in kql query

@eladfe 

 

A couple options...

 

  1. Use the KQL let statement
  2. Use the externaldata operator (https://rodtrent.com/d9f
  3. Use a Watchlist

Both let statement and Watchlist covered here: https://rodtrent.com/fsb 

0 Likes
Reply
Yong Rhee

‎Jul 26 2022 08:18 PM

‎Jul 26 2022 08:18 PM

Re: help in kql query

Hi @eladfe,
Additionally, we have a nice list of Advanced Hunting (AH) samples here: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries and Azure Sentinel, has Advanced Hunting query samples here: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries
Thanks,
Yong Rhee - MSFT
0 Likes
Reply