Forum Discussion

roadruner's avatar
roadruner
Copper Contributor
Oct 29, 2020
Solved

Watchlist and query

new to kql here, is it possible to build a  query that search's across logs looking for machines that connected to any of ip addresses in the watchlist?  Any examples ? Plan would be to turn that que...
  • GaryBushey's avatar
    GaryBushey
    Oct 30, 2020

    roadruner This is the starting query for something like that.

     

     

    let ClearedIPAddresses=_GetWatchlist('test1');
    CommonSecurityLog
    | join ClearedIPAddresses on $left.SourceIP== $right.IPAddress

GaryBushey's avatar
GaryBushey
Bronze Contributor
Oct 30, 2020

roadruner Here is a simple example of how to do this.  I created a CSV file that has all the IPAddresses I have cleared and uploaded that into the Watchlist using "ClearedIPAddreses" as the alias.

 

let ClearedIPAddresses=_GetWatchlist('ClearedIPAddresses');
Heartbeat
| join ClearedIPAddresses on $left.ComputerIP == $right.IPAddress
catilintouchadmin's avatar
catilintouchadmin
Copper Contributor
Jul 01, 2021

GaryBushey thank you very much for that.  I will try that also and feedback

 

Kind regards 

Caitlin