How to Exclude the IP Subnet range in the Sentinel KQL use case

Jagadeesh Gunasekaran 25 Reputation points
2023-08-03T23:51:21.8433333+00:00

Hi all...!

KQL query explore...

Assuming the following IP Supnets ranges i want to exclude in the event results (Sentinel SIEM)

eg.118.13.0.0/16

My goal is to exclude records in which the source IP value from the Exclude ip range.

What is the best way to achieve that.?

I tried the ipv4_is_in_any_range() function , but no luck.

Thanks in advance...

Jagadeesh G

Microsoft Security | Microsoft Sentinel
{count} votes

Accepted answer
  1. Sedat SALMAN 14,180 Reputation points MVP
    2023-08-05T20:02:24.42+00:00

    I have added the following query you can modify this one for your case

    datatable
    | where not(ipv4_is_in_any_range(SourceIP, dynamic(["118.13.0.0/16"])))
    

    This query will filter out any records where the source IP address is in the 118.13.0.0/16 range.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.