Comments on: Azure Sentinel: CIDR matching http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2020/03/18/azure-sentinel-cidr-matching/ Wed, 10 Feb 2021 12:44:00 +0000 hourly 1 By: Anonymous http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2020/03/18/azure-sentinel-cidr-matching/comment-page-1/#comment-12227 Wed, 10 Feb 2021 12:44:00 +0000 http://approjects.co.za/?big=en-gb/industry/blog/?p=30588#comment-12227 In reply to Bob.

You could have a Watchlist, called ‘subNets’ in this format

Subnet, Notes
13.64.67.79/32, this is a test

And query like this, just an idea?

let IP_Data =_GetWatchlist(‘subNets’);
Heartbeat
| evaluate ipv4_lookup(IP_Data, ComputerIP, Subnet)
| summarize count() by ComputerIP, Subnet

]]> By: Bob http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2020/03/18/azure-sentinel-cidr-matching/comment-page-1/#comment-12221 Tue, 09 Feb 2021 19:16:48 +0000 http://approjects.co.za/?big=en-gb/industry/blog/?p=30588#comment-12221 Hey Clive, excellent article.
Can CIDRs be matched in a watchlist?
i.e. can you add 10.1.1.0/16 to a watchlist eg:
let watchlist = (_GetWatchlist(‘subnets’) | project subnet);
and then match a single IP against that subnet?
eg. match 10.1.1.1 to subnet 10.0.0.0/16 using watchlist.
An example query would be MUCH appreciated!

]]>