After some test and trial, I got this work around to work for returning result if IP from one table is in CIDR of the other. However, there's a couple of caveats I will mention at the bottom.
let TICacheS = toscalar(
ThreatIntelligenceIndicator
| where ExpirationDateTime > now()
and TimeGenerated > ago(1d)
and Active == true
and isnotempty(NetworkCidrBlock)
| distinct NetworkCidrBlock
| limit 10000
| summarize cidr_set = make_set(NetworkCidrBlock)
);
let LogCache = materialize(
CommonSecurityLog
| where not(ipv4_is_private(DestinationIP))
and TimeGenerated >= ago(1h)
| distinct DestinationIP
| extend ip=DestinationIP
);
let t= LogCache
| mv-apply cidr=TICacheS to typeof(string) on
(
where ipv4_is_match(ip, cidr)
);
CommonSecurityLog
| where TimeGenerated >= ago(2d)
| join t on $left.DestinationIP == $right.ip
The caveats are:
- only 10K cidr allowed in this query otherwise it will error out with complain of too much data.
- It's very slow in comparison to the join query of networkIPs. (perhaps it has to do the cidr calculation instead of string comparison in just network ips)
This might be a work around for someone that is looking to do the same. Unfortunately the size limitation of CIDRs is a blocker for me to actually use it.