Forum Discussion

roadruner's avatar
roadruner
Copper Contributor
Oct 29, 2020
Solved

Watchlist and query

new to kql here, is it possible to build a  query that search's across logs looking for machines that connected to any of ip addresses in the watchlist?  Any examples ? Plan would be to turn that que...
  • GaryBushey's avatar
    GaryBushey
    Oct 30, 2020

    roadruner This is the starting query for something like that.

     

     

    let ClearedIPAddresses=_GetWatchlist('test1');
    CommonSecurityLog
    | join ClearedIPAddresses on $left.SourceIP== $right.IPAddress

GaryBushey's avatar
GaryBushey
Bronze Contributor
Oct 30, 2020

roadruner This is the starting query for something like that.

 

 

let ClearedIPAddresses=_GetWatchlist('test1');
CommonSecurityLog
| join ClearedIPAddresses on $left.SourceIP== $right.IPAddress

roadruner's avatar
roadruner
Copper Contributor
Oct 30, 2020

GaryBushey Thanks! This worked. Just replaced sourceip to destip. and .found the test hits to the list. either way works.