KQL query for azure sentinel to check for bruteforce ips in a watchlist

Danaa Salam 40 Reputation points

I need a KQL Query for Azure Sentinel for making an alert rule that triggers when the ip address field of any of the following table matches with the watchlisted ips under the watchlist named "BruteforceIPs".The required table to check for the ips are:SigninLogs,AzureDiagnostics,AADNonInteractiveUserSignInLogs and VMConnection.In these tables,the ip adress fields are named as IPAddress,clientIP_s,IPAddress and DestinationIp respectively.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
868 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 4,341 Reputation points MVP


    Here is the a basic query you can build from:

    let ip_ = _GetWatchlist('BruteforceIPs') | project IPAddress;
    union isfuzzy=true
        | where IPAddress in (ip_)
        | extend found_ = strcat("Found in Signinlogs logs ",IPAddress)    
        | where clientIP_s in (ip_)
        | extend found_ = strcat("Found in AzureDiag logs ",IPAddress=clientIP_s)
    | project IPAddress, found_
    0 comments No comments