cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

try to use Watchlist with analytics rule

chirasuemetrosystems
Copper Contributor

‎Jan 25 2022 12:23 AM - edited ‎Jan 25 2022 12:25 AM

‎Jan 25 2022 12:23 AM - edited ‎Jan 25 2022 12:25 AM

try to use Watchlist with analytics rule

I have tried to use watch list IP address to exclude IP address from failed address in analytic rule"Successful logon from IP and failure from a different IP"

but it is not success
 

let logonDiff = 10m;

let watchlist = _GetWatchlist('WLtest');
let aadFunc = (tableName: string) {
table(tableName)
| where ResultType == "0"
| where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online")
| project
SuccessLogonTime = TimeGenerated,
UserPrincipalName,
SuccessIPAddress = IPAddress,
AppDisplayName,
SuccessIPBlock = strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1]),
Type
| join kind= inner (
table(tableName)
| where ResultType !in ("0", "50140")
| where ResultDescription !~ "Other"
| where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online")
| project
FailedLogonTime = TimeGenerated,
UserPrincipalName,
FailedIPAddress = IPAddress,
AppDisplayName,
ResultType,
ResultDescription,
Type
)
on UserPrincipalName, AppDisplayName
| where SuccessLogonTime < FailedLogonTime
and FailedLogonTime - SuccessLogonTime <= logonDiff
and FailedIPAddress !startswith SuccessIPBlock
| where FailedIPAddress !in (watchlist)
| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime)
by
UserPrincipalName,
SuccessIPAddress,
AppDisplayName,
FailedIPAddress,
ResultType,
ResultDescription,
Type
| extend timestamp = SuccessLogonTime
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt

912 Views
0 Likes
1 Reply
Reply
1 Reply
Gary Bushey

‎Jan 25 2022 03:21 AM

‎Jan 25 2022 03:21 AM

Re: try to use Watchlist with analytics rule

@chirasuemetrosystems The "in" command is used against strings, not a table.   The "_GetWatchlist" command returns a table so you would not be able to use the "in" command with it.  You would need to perform another join in order to properly use it.

0 Likes
Reply