cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Compare a watchlist of IPs to DNS Events

agoodson
Microsoft

‎Dec 13 2021 10:45 AM

‎Dec 13 2021 10:45 AM

Compare a watchlist of IPs to DNS Events

I am trying to compare IOCs from a watchlist in Sentinel to the DnsEvent based on a KQL query. But I am having trouble comparing the two sources. I thought about a union statement, but I can't get around that I have to compare specific columns in two different sources. Does anyone know how to compare results (ips) from a watchlist to DNS events using KQL? 

799 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by agoodson (Microsoft)
Gary Bushey

‎Dec 13 2021 11:51 AM

‎Dec 13 2021 11:51 AM

Solution

Re: Compare a watchlist of IPs to DNS Events

@agoodson a join would work. 

 

_GetWatchlist('IPAddresses')
| join (DnsEvents) on $left.IPAddress == $right.IPAddresses
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by agoodson (Microsoft)
Gary Bushey

‎Dec 13 2021 11:51 AM

‎Dec 13 2021 11:51 AM

Solution

Re: Compare a watchlist of IPs to DNS Events

@agoodson a join would work. 

 

_GetWatchlist('IPAddresses')
| join (DnsEvents) on $left.IPAddress == $right.IPAddresses

View solution in original post

0 Likes
Reply