Watchlist search all tables for IP

sulaimanncs915 · ‎Apr 12 2024

Hi,

I have a watchlist with 50 IP address. I would need help to search the IPs in all tables regardless of the column in my L.A.W

Please help me with the KQL Query

deshantshukla · ‎Apr 16 2024

try this let tables = search * | where TimeGenerated >= ago(2s); watchlist_IP | where ipAddress in (tables)

sulaimanncs915 · ‎Apr 18 2024

hi having some syntax issues , can you put it line by line

abon13 · ‎Apr 19 2024

@sulaimanncs915 sulaimanncs915 Sentinel has a query timeout limit of 10 minutes. Depending on your table size, you MAY be successful in executing the search() query. I believe you are doing IoC search, so if there are multiple hits for your IP and the table size is bigger then there will be a performance hit and your query may timeout as well

I would suggest to narrow down on every table which column has the data you want to look up and then perform the search on those columns. Basically you can have one main function and then subfunctions within it running the search for the individual tables

Check the following post:
https://techcommunity.microsoft.com/t5/microsoft-sentinel/kql-query-for-match-ioc-from-watchlist/m-p...

sulaimanncs915 · ‎Apr 19 2024

there are some issues with watchlist_IP can you check

let tables = search *
| where TimeGenerated >= ago(2s);
watchlist_IP
| where ipAddress in (tables)

Watchlist search all tables for IP

Watchlist search all tables for IP

Re: Watchlist search all tables for IP

Re: Watchlist search all tables for IP

Re: Watchlist search all tables for IP

Re: Watchlist search all tables for IP

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Watchlist search all tables for IP