Forum Discussion

ben_loy's avatar
ben_loy
Copper Contributor
Sep 13, 2022
Solved

Working with watchlists and ipv4_is_in_any_range() to exclude results from query

Hello! I am struggling with using watchlists as a blacklist.    This is my query:   let list = _GetWatchlist('blacklistedSegments') | summarize make_list(segment); SigninLogs | where ipv4_is_in...
Azure Log Analytics
Log Analytics
microsoft sentinel
Query Language
  • Clive_Watson's avatar
    Clive_Watson
    Sep 13, 2022

    ben_loy 

     

    This example works for me

    let list = toscalar(_GetWatchlist('...........')
| summarize make_list(SearchKey));
AzureActivity
| where ipv4_is_in_any_range(tostring(CallerIpAddress), list)

     

     

     

ben_loy's avatar
ben_loy
Copper Contributor
Sep 13, 2022

Clive_Watson 

Thanks for replying.

 

Unfortunately Project and Distinct throw the same error. 

 

The docs say that the method expect a dynamic array:

 

and make_list() returns exactly that:

 

Maybe there are some subtleties I miss?

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Sep 13, 2022

ben_loy 

 

This example works for me

let list = toscalar(_GetWatchlist('...........')
| summarize make_list(SearchKey));
AzureActivity
| where ipv4_is_in_any_range(tostring(CallerIpAddress), list)

 

 

 

  • Come_on's avatar
    Come_on
    Copper Contributor
    Feb 20, 2023
    This work great. Any thoughts on if I want to exclude the IP address in the watchlist from my query?
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Feb 20, 2023
      Something like this (not tested)?

      | where not(ipv4_is_in_any_range(tostring(CallerIpAddress), list))

Resources