user13110739
Reputation: 11
Emulate Whitelisting of CIDR Range on Azure Sentinel
There is a way to use CIDR range in kusto? the code below only works if i remove the /24..
let whiteList = dynamic (["192.168.2.0/24", "192.168.1.0/24"]); // setup a whitelist of range IP
OfficeActivity
| where Operation == "MailboxLogin"
| where ClientIP in (whiteList)
| summarize count=count() by UserId
any solution please ?
Upvotes: 1
Views: 1973
Answers (3)
younes khaldi
Reputation: 11
You can use this:
let WhiteList= @'^192\.168\.1|^192\.168\.2'; // put your internal networks
OfficeActivity
| where Operation == "MailboxLogin"
| extend IswhiteList = iff(ClientIP matches regex WhiteList,"whiteList" ,"none" )
| where IswhiteList == "whiteList"
| summarize count=count() by UserId
Upvotes: 1
Alexander Sloutsky
Reputation: 3027
More IPv4 functions listed here:
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalarfunctions#ip-v4-functions
Upvotes: 0
Gary Bushey
Reputation: 121
Take a look at parse_ipv4()
https://learn.microsoft.com/en-us/azure/kusto/query/parse-ipv4function
It looks like it should do what you need.
Upvotes: 0
Related Questions
- Filter IPs if they are in list of ranges
- KQL Query to filter values based on condition
- Whitelist Azure SQL Server IP to access Az Storage Account
- IP address/range filter for Azure Service Bus
- Kusto query, comparing array of CIDR ranges to an IP
- Whitelist is being ignored in KQL Query
- Filter IP ranges in Logic Apps ARM templates
- Using KQL to search on subnets
- CIDR to IP range in order to use in a firewall definition, that does not understand CIDRs (like azurerm_sql_firewall_rule)?
- Whitelisting specific IP Addressess with Azure Network Security Groups