Forum Discussion
Filter IP ranges on Azure Sentinel search
Hello everyone,
I'm using the query described https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml to get alerts on suspicious logins from different countries, but I get lots of false positives from people connecting to our VPNs.
Is there a way to filter using IP ranges instead of specific IPs? I've tried using this
let excludeKnownVPN = dynamic(['127.0.0.1', '0.0.0.0', '123.231.0.0/16']);
but I don't get the expected outcome (I still get alerts from those IPs).
If someones knows how to filter IP ranges out, I'll greatly appreciate it.
Best regards!
1 Reply
- There are lots of IPV4 functions, take a look here: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-range-function
