MS Sentinel - KQL - checking ip ranges from watchlist with ip address in particular tables

Question

I would like the matching records from the watchlist to be displayed, where IP address ranges are given. I am using a function to compare whether a given ip address belongs to a range: ipv4_is_in_range I can do with comparing ip addresses from the watchlist, but with ranges I have a problem.

The watchlist with ip ranges has structure: IPpool,Info 134.238.0.0/16,dedededede

for comparing ip addresses from watchlist I use such query and it works:

let watchlist = (_GetWatchlist('testl') | project IPAddress);
Azure Activity
| where CallerIpAddress in (watchlist)

Then I'm trying to rebuild this query to use ip range from mentioned above watchlist:

let watchlist = (_GetWatchlist('testl2') | project IPpool);
AzureActivity
| where (ipv4_is_in_range(CallerIpAddress, (watchlist))

And it doesn't work...

Of course when I define range as string it works:

let watchlist = (_GetWatchlist('testl2') | project IPpool);
AzureActivity
| where (ipv4_is_in_range(CallerIpAddress, "134.238.0.0/16")

I'm sure that there is some problem with expression data, or logic... I'm not a master of KQL. Could you help?

Answer 1

Try this

let list = toscalar(_GetWatchlist('...........')
| summarize make_list(SearchKey));
AzureActivity
| where ipv4_is_in_any_range(tostring(CallerIpAddress), list)

Answer 2

I think it is because the watchlist variable is a _list_of_multiple_IP_ranges, and the function ipv4_is_in_range requires a single subnet as the second argument. (I know I should put it as a comment, not an answer, but my reputation doesn't let me)