Microsoft Sentinel us watchlist for IP Range

Question

Microsoft Sentinel us watchlist for IP Range

Kentucky Mike 51

I currently have a Watchlist with IP Ranges: User's image

What I'm trying to do is leverage the watchlist to check a if a specific IP Address is in the watchlist IP Range.

Example:
An alert comes in from IP Address 10.10.1.5 I do not want the alert to trigger because it's coming from a "Safe IP Address" My watchlist doesn't contain IP Addresses, it contains ranges. The above IP is part of one of the IP Ranges so I want it to be ignored let IPIgnore = (_GetWatchlist('AllowedIPs') | project IPAddress); SecurityAlerts | where IPAddress !in (IPIgnore)

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-04-26T20:40:28.4266667+00:00

@Kentucky Mike

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-04T16:51:27.92+00:00

@Kentucky Mike

Thank you for following up regarding @David Broggy 's recommended solution. I wanted to check-in and see if you were able to look into @Andrew Blumhardt 's solution as well and if you ran into any issues?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Kentucky Mike 51 Reputation points

2023-05-04T16:57:25.72+00:00

yes to additional questions:

I had a follow up question I posted to Davids solution.

On Andrew's solution, I used that information when trying to apply the Query outline from David. Regarding using UEBA, we don't use UEBA so I am not able to leverage UEBA. I do, however, use the NetworkAddresses Watchlist template.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-04T19:06:23.03+00:00
@Kentucky Mike

Thank you for the quick follow up on this! I tried reproducing your issue within my Sentinel Instance but wasn't able to.

If you'd like our support team to take a closer look into your issue, can you please email me with the info below. I'll go ahead and enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.

<<Removed Email Instructions>>

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Kentucky Mike 51 Reputation points

2023-05-04T19:31:28.7733333+00:00

@JamesTran-MSFT , you received the same result I did. My understanding of this query is that I set My IP Address to an ip address that IS in the IP Range list via the watch list. so when I search for my IP address in the Watch List, there should be a result showing that my IP address was found and list it in the results table.

If your watchlist contains 10.10.1.0/24 and you set your IP address to 10.10.1.5, then you should get the results of 10.10.1.5 in the results table. You're using 10.10.1.0 as your IP address which will cause a "Not Found" result since 10.10.1.0 is not an available IP address.

All that being said, I will send the email and get someone to walk me through what I'm doing wrong and add a comment with the result.
Kentucky Mike 51 Reputation points

2023-06-09T21:29:31.6533333+00:00

James, I posted the answer below but I can't mark it as the answer, can you mark it for me?

Accepted answer

3 additional answers

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-04-26T20:40:28.4266667+00:00

@Kentucky Mike

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-04T16:51:27.92+00:00

@Kentucky Mike

Thank you for following up regarding @David Broggy 's recommended solution. I wanted to check-in and see if you were able to look into @Andrew Blumhardt 's solution as well and if you ran into any issues?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Kentucky Mike 51 Reputation points

2023-05-04T16:57:25.72+00:00

yes to additional questions:

I had a follow up question I posted to Davids solution.

On Andrew's solution, I used that information when trying to apply the Query outline from David. Regarding using UEBA, we don't use UEBA so I am not able to leverage UEBA. I do, however, use the NetworkAddresses Watchlist template.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-04T19:06:23.03+00:00

@Kentucky Mike

Thank you for the quick follow up on this! I tried reproducing your issue within my Sentinel Instance but wasn't able to.

If you'd like our support team to take a closer look into your issue, can you please email me with the info below. I'll go ahead and enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.

<<Removed Email Instructions>>

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Kentucky Mike 51 Reputation points

2023-05-04T19:31:28.7733333+00:00

@JamesTran-MSFT , you received the same result I did. My understanding of this query is that I set My IP Address to an ip address that IS in the IP Range list via the watch list. so when I search for my IP address in the Watch List, there should be a result showing that my IP address was found and list it in the results table.

If your watchlist contains 10.10.1.0/24 and you set your IP address to 10.10.1.5, then you should get the results of 10.10.1.5 in the results table. You're using 10.10.1.0 as your IP address which will cause a "Not Found" result since 10.10.1.0 is not an available IP address.

All that being said, I will send the email and get someone to walk me through what I'm doing wrong and add a comment with the result.
Kentucky Mike 51 Reputation points

2023-06-09T21:29:31.6533333+00:00

James, I posted the answer below but I can't mark it as the answer, can you mark it for me?

Answer 1

@Kentucky Mike

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

Issue:

You're trying to leverage Watchlists in Microsoft Sentinel to check if a specific IP address is in the Watchlist IP range. For Example:

An alert comes in from IP Address 10.10.1.5 I do not want the alert to trigger because it's coming from a "Safe IP Address" My watchlist doesn't contain IP Addresses, it contains ranges. The above IP is part of one of the IP Ranges so I want it to be ignored let IPIgnore = (_GetWatchlist('AllowedIPs') | project IPAddress); SecurityAlerts | where IPAddress !in (IPIgnore)

Solution:

After working with our Support Engineers, you found that the initial query doesn’t work with summarize because ipv4_is_in_range can’t use the result.

#I figured out what’s wrong with this query:

let IPIgnore = (_GetWatchlist('NetworkAddresses')
    | project SearchKey
    | summarize rangeList = make_list(SearchKey, 128));
let MyIPAddress = '10.50.248.25';
IPIgnore
| search '10.50.248.25'
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress,rangeList))

===========================================================

#It doesn’t work with summarize because ipv4_is_in_range can’t use the result.
#This works:

let IPIgnore = (_GetWatchlist('NetworkAddresses')
    | project rangeList = SearchKey
    | distinct rangeList);
let MyIPAddress = '10.50.248.25';
IPIgnore
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress, rangeList))

===========================================================

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue!

Answer 2

Andrew Blumhardt 10,051 Microsoft Employee

There are some useful IP functions like ipv4_is_in_range() that can be useful. Also, if you use the watchlist template for "Network Addresses" this will flag your IPs as internal on the UEBA profile page. I prefer this option because the insight is provided for every alert.

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-in-range-function

Kentucky Mike 51 Reputation points

2023-04-24T23:45:50.58+00:00

I will give those a try first thing in the morning. Thank you Andrew....

Answer 3

David Broggy 6,371 MVP Volunteer Moderator

Hey Kentucky Mike! Long time no hear! Would this work?
let NetworkWatchlist = (_GetWatchlist('NetworkAddresses') | project SearchKey // this is where you extract the column from your watchlist with the IPs | summarize rangeList = make_list(SearchKey)); //here you're creating a list from the above results. let MyIPAddress = '192.168.100.4'; // you won't need this unless you're testing. NetworkWatchlist // now you run your regular search | project MyIPAddress, tostring(rangeList) // now they're dumping all the IPs from your search and the list | where (ipv4_is_in_range(MyIPAddress, rangeList)) // here you filter from the above dump to just match your IP.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Kentucky Mike 51

David,

I tried your outline and wasn't able to get it to work:

let IPIgnore = (_GetWatchlist('NetworkAddresses') | project SearchKey | summarize rangeList = make_list(SearchKey,128));
let MyIPAddress = '10.50.248.25';
IPIgnore
| search '10.50.248.25'
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress,rangeList))

one of the ranges in the NetworkAddresses watchlist is 10.50.248.0/24

Answer 4

Kentucky Mike 51

I received the following from a Microsoft Support Engineer:

 
I figured out what’s wrong with this query:

let IPIgnore = (_GetWatchlist('NetworkAddresses')
    | project SearchKey
    | summarize rangeList = make_list(SearchKey, 128));
let MyIPAddress = '10.50.248.25';
IPIgnore
| search '10.50.248.25'
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress,rangeList))
 
It doesn’t work with summarize because ipv4_is_in_range can’t use the result.
 
This works:
let IPIgnore = (_GetWatchlist('NetworkAddresses')
    | project rangeList = SearchKey
    | distinct rangeList);
let MyIPAddress = '10.50.248.25';
IPIgnore
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress, rangeList))
 
 

===========================================================

Ibu Jah 0 Reputation points

2023-10-20T01:28:29.8133333+00:00

@Kentucky Mike .
How did you use the solution mentioned above to filter SecurityAlerts ?
Kentucky Mike 51 Reputation points

2023-10-20T01:34:16.4066667+00:00

The Solution above wasn't to filter SecurityAlerts. It was to Filter based on an IP Range and if the Source/Destination IP was within the ip range in the watchlist, do something.
Ibu Jah 0 Reputation points

2023-10-20T03:59:31.05+00:00
OK well noted. Thanks to the solution above, I was able to create a version that filters signin related alerts (ex. in login from abroad rules) to ignore IPs within a watchlist containing whitelisted IP ranges. In case anyone is interested ...

let watchlist = (_GetWatchlist('AllowedSubnets') | project Subnet); SigninLogs | extend IPAddressIsInWatchlist = ipv4_is_in_any_range(IPAddress, toscalar(watchlist | summarize make_list(Subnet))) | where IPAddressIsInWatchlist == false

Share via

Microsoft Sentinel us watchlist for IP Range

3 additional answers

Your answer