Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,151 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I need a KQL Query for Azure Sentinel for making an alert rule that triggers when the ip address field of any of the following table matches with the watchlisted ips under the watchlist named "BruteforceIPs".The required table to check for the ips are:SigninLogs,AzureDiagnostics,AADNonInteractiveUserSignInLogs and VMConnection.In these tables,the ip adress fields are named as IPAddress,clientIP_s,IPAddress and DestinationIp respectively.
Hello,
Here is the a basic query you can build from:
let ip_ = _GetWatchlist('BruteforceIPs') | project IPAddress;
union isfuzzy=true
(
SigninLogs
| where IPAddress in (ip_)
| extend found_ = strcat("Found in Signinlogs logs ",IPAddress)
),
(
AzureDiagnostics
| where clientIP_s in (ip_)
| extend found_ = strcat("Found in AzureDiag logs ",IPAddress=clientIP_s)
)
| project IPAddress, found_