How to write a kql comparing 2 different tables(signins, threatintelligence) to create alert if the sign in ip matches with the ip reported by threatintelligence.

Harish Menti 0 Reputation points
2024-06-23T20:18:15.57+00:00

I tried multiple ways to join the tables but ended up getting multiple errors, and I am not able to call the table that I referred into a variable using the let operator after I refer other table after it. As I was not able to use the first defined variable as universal variable so I can call that variable after I refer another table of interest into another variable and compare both IPs. I finally would want the kql to raise alert if it sees sigins from ip that is reported in the threatintell

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,054 questions
{count} votes