Cannot call my custom function using KQL?

Question

I'm currently working with KQL and I need to make some sort of list or table that holds hundreds of malicious IP values. I'm really new to KQL and InfoSec in general, so I was wondering if there's a way that I can create some sort of data table of IPs that I can call on in various queries.

Here is an example of the kind of data table I'm working with:

let ipAddresses = datatable(IPAddress:string)
[
    "62.86.18.86",
    "8.211.111.53",
    "14.178.141.190"
];

Essentially, I want this to be stored in a separate query, and then be able to call this data table anytime I need it. For example, If I wanted to be able to use this data table in a separate query to be able to check if any one of these IPs had a successful sign in on a user's account.

I have tried copying and pasting these long lists of IPs in every query I make, but that seems to be very inefficient. The problem becomes that if one query's data table is updated, all queries who also use that data table must also be updated. I'm looking for this table to be more centralized (if that makes sense).

I have created the GetMaliciousIPs with ".create". Because of how my environment is setup, I can't use "SignInLogs", so instead, I have to do something like this:

let signInsForIPs = AADSignInEventsBeta
| where Timestamp >= ago(30d)
| where IPAddress in (ipAddresses);

When combined, this is what the new query looks like:

let maliciousIPs = GetMaliciousIPs();
let signInsForIPs = AADSignInEventsBeta
| where Timestamp >= ago(30d)
| where IPAddress in (maliciousIPs);

When run, this also does not work. I get a syntax error. And ideas of how to fix this too?

Cannot call my custom function using KQL?

Answers (1)

Related Questions