KQL query for azure sentinel to check for bruteforce ips in a watchlist

Danaa Salam 40 Reputation points
2023-11-09T15:40:49.7066667+00:00

I need a KQL Query for Azure Sentinel for making an alert rule that triggers when the ip address field of any of the following table matches with the watchlisted ips under the watchlist named "BruteforceIPs".The required table to check for the ips are:SigninLogs,AzureDiagnostics,AADNonInteractiveUserSignInLogs and VMConnection.In these tables,the ip adress fields are named as IPAddress,clientIP_s,IPAddress and DestinationIp respectively.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,151 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 6,436 Reputation points MVP
    2023-11-09T15:59:47.88+00:00

    Hello,

    Here is the a basic query you can build from:

    let ip_ = _GetWatchlist('BruteforceIPs') | project IPAddress;
    union isfuzzy=true
    (
        SigninLogs
        | where IPAddress in (ip_)
        | extend found_ = strcat("Found in Signinlogs logs ",IPAddress)    
    ),
    (
        AzureDiagnostics
        | where clientIP_s in (ip_)
        | extend found_ = strcat("Found in AzureDiag logs ",IPAddress=clientIP_s)
    )
    | project IPAddress, found_
    
    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.