Jan 25 2022 12:23 AM - edited Jan 25 2022 12:25 AM
I have tried to use watch list IP address to exclude IP address from failed address in analytic rule"Successful logon from IP and failure from a different IP"
let logonDiff = 10m;
let watchlist = _GetWatchlist('WLtest');
let aadFunc = (tableName: string) {
table(tableName)
| where ResultType == "0"
| where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online")
| project
SuccessLogonTime = TimeGenerated,
UserPrincipalName,
SuccessIPAddress = IPAddress,
AppDisplayName,
SuccessIPBlock = strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1]),
Type
| join kind= inner (
table(tableName)
| where ResultType !in ("0", "50140")
| where ResultDescription !~ "Other"
| where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online")
| project
FailedLogonTime = TimeGenerated,
UserPrincipalName,
FailedIPAddress = IPAddress,
AppDisplayName,
ResultType,
ResultDescription,
Type
)
on UserPrincipalName, AppDisplayName
| where SuccessLogonTime < FailedLogonTime
and FailedLogonTime - SuccessLogonTime <= logonDiff
and FailedIPAddress !startswith SuccessIPBlock
| where FailedIPAddress !in (watchlist)
| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime)
by
UserPrincipalName,
SuccessIPAddress,
AppDisplayName,
FailedIPAddress,
ResultType,
ResultDescription,
Type
| extend timestamp = SuccessLogonTime
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
Jan 25 2022 03:21 AM
@chirasuemetrosystems The "in" command is used against strings, not a table. The "_GetWatchlist" command returns a table so you would not be able to use the "in" command with it. You would need to perform another join in order to properly use it.