This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 55.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
Hello,
I have defined a Watchlist that contains user names and known user IP addresses. I'm Trying to set up a query that will alert if it records a log-in associated with User A1 but NOT IP Address A2. (i.e. if Donald Duck logs in from 192.198.0.1 then do not alert, however if DonaldDuck logs in from 192.168.0.2 then DO ALERT). Is there any way to alert on just the value to the right of the username? I have a query that seems to search for ALL Usernames against ALL Ipadresses
Any help would be great
Username,IPAddress
DonaldDuck,192.198.0.1
BugsBunny,192.198.0.2
JackTorrance,192.198.0.3
My base query:
let watchlist = (_GetWatchlist('mwl') | project Username, IPAddress);
SignInLog
| where UserDisplayName in watchlist and IPAddress !in watchlist
| project IPAddress, UserDisplayName
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@I'mLenny I believe this achieves your goal. give it a try
let watchlist = (_GetWatchlist('mwl') | project strcat(Username, _ , IPAddress));
SignInLog
| extend user_ip = strcat(UserDisplayName, _ ,IPAddress)
| where user_ip !in watchlist
| project IPAddress, UserDisplayName
Hey there,
This solution worked for the use case I explained above, which is going to go a long way in enriching the alerts I have set up already.
Thanks very much for your help
N.B. for anyone else reading this the underscores from the above answer should be contained in quote marks within your query
You could join the datasets, something like this?
let watchlist = (_GetWatchlist('mwl') | project Username, IPAddress);
watchlist
| join
(
SigninLogs
// project
) on $left.UserName == $right.UserDisplayName
| project UserName, userDisplayName, IPAddress
in the SigninLogs you may want to use a filter to just get the last result:
| summarize arg_max (TimeGenerated,*) by userDisplayName
Thanks for your input. The below solution has worked for my limited use case, however have identified areas where I want to improve it (add expiration dates and alert a log in from a known, allow listed IP address has triggered after the expiration). I think this might be a bit more robust.
I've not had a chance to look at your solution in detail and test but thank you regardless for your input. I will try it some point soon