Filter IP ranges on Azure Sentinel search

joserca · ‎Jun 23 2023

Hello everyone,

I'm using the query described here to get alerts on suspicious logins from different countries, but I get lots of false positives from people connecting to our VPNs.

Is there a way to filter using IP ranges instead of specific IPs? I've tried using this

let excludeKnownVPN = dynamic(['127.0.0.1', '0.0.0.0', '123.231.0.0/16']);

but I don't get the expected outcome (I still get alerts from those IPs).

If someones knows how to filter IP ranges out, I'll greatly appreciate it.

Best regards!

Clive_Watson · ‎Jun 26 2023

There are lots of IPV4 functions, take a look here: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-range-function

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Filter IP ranges on Azure Sentinel search

Filter IP ranges on Azure Sentinel search

Re: Filter IP ranges on Azure Sentinel search