Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,051 questions
How to write a kql comparing 2 different tables(signins, threatintelligence) to create alert if the sign in ip matches with the ip reported by threatintelligence.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 95%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Harish Menti
0
Reputation points
I tried multiple ways to join the tables but ended up getting multiple errors, and I am not able to call the table that I referred into a variable using the let operator after I refer other table after it. As I was not able to use the first defined variable as universal variable so I can call that variable after I refer another table of interest into another variable and compare both IPs. I finally would want the kql to raise alert if it sees sigins from ip that is reported in the threatintell
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 30,521 Reputation points Microsoft Employee2024-06-24T05:11:58.0033333+00:00 @Harish Menti Thank you for reaching out to us, check the below approach/query if this helps to achieve your ask (generated by internal AI tool)
To compare the
SigninLogstable with theThreatIntelligenceIndicatortable and create an alert if the IP address in theSigninLogstable matches the IP address in theThreatIntelligenceIndicatortable, you can use the following KQL query:let threatIntelligence = ThreatIntelligenceIndicator | where type == "ip" | project ThreatIP = tostring(properties.indicatorValue); SigninLogs | where TimeGenerated > ago(1d) | where ClientIP != "" | join kind=inner ( threatIntelligence ) on $left.ClientIP == $right.ThreatIP | project TimeGenerated, ClientIP, ThreatIPThis query first defines a variable
threatIntelligencethat filters theThreatIntelligenceIndicatortable to only include indicators of type "ip" and projects theindicatorValueasThreatIP.Then, the query filters the
SigninLogstable to only include logs from the last day and where theClientIPis not empty. It then performs an inner join with thethreatIntelligencevariable on theClientIPfield in theSigninLogstable and theThreatIPfield in thethreatIntelligencevariable.Finally, the query projects the
TimeGenerated,ClientIP, andThreatIPfields and returns the results.You can use this query as the basis for an alert rule that triggers when the query returns results.
Let me know if this helps or not, feel free to post back.
Sign in to comment