Forum Discussion
Solved
Working with watchlists and ipv4_is_in_any_range() to exclude results from query
Hello! I am struggling with using watchlists as a blacklist. This is my query: let list = _GetWatchlist('blacklistedSegments')
| summarize make_list(segment);
SigninLogs
| where ipv4_is_in...
This example works for me
let list = toscalar(_GetWatchlist('...........') | summarize make_list(SearchKey)); AzureActivity | where ipv4_is_in_any_range(tostring(CallerIpAddress), list)
You could probably, use project rather than summarize or Distinct?
let list = _GetWatchlist("....") | project SearchKey
or there is a Dynamic option, which I've not tried with a Watchlist: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-any-range-function
e.g.
ipv4_is_in_any_range("127.0.0.1", dynamic([segment])) == true
let list = _GetWatchlist("....") | project SearchKey
or there is a Dynamic option, which I've not tried with a Watchlist: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-any-range-function
e.g.
ipv4_is_in_any_range("127.0.0.1", dynamic([segment])) == true
Thanks for replying.
Unfortunately Project and Distinct throw the same error.
The docs say that the method expect a dynamic array:
and make_list() returns exactly that:
Maybe there are some subtleties I miss?
This example works for me
let list = toscalar(_GetWatchlist('...........') | summarize make_list(SearchKey)); AzureActivity | where ipv4_is_in_any_range(tostring(CallerIpAddress), list)- This work great. Any thoughts on if I want to exclude the IP address in the watchlist from my query?
- Something like this (not tested)?
| where not(ipv4_is_in_any_range(tostring(CallerIpAddress), list))
