KQL: Check table of IPs against table of subnets
From a table with a column of IPs i would like to know which IPs are in a subnet from a table of which contains a column of subnets.
Attempt:
let IPs = SecurityAlert
| mv-expand parse_json(Entities)
| evaluate bag_unpack(Entities, columnsConflict='keep_source')
| distinct Address;
AzureIPTable
| extend ipv4_is_in_range(IPs, addressPrefixes)
Pretend addressPrefixes is a table of subnets in AzureIPTable and Address is a column of IPs in a table called SecurityAlert
Solution
I have reproduced in my environment and below are expected results:
Firstly IP's Table:
Subnet Table:
Now use below KQL Query (to Check if IP is in Subnet IP's, which are in another table ) like below:
let subnetTable = datatable(Subnet:string)
[
"172.168.1.0/24",
"10.0.0.0/24",
"172.16.0.0/16"
]
| summarize mylist = make_list(Subnet)
| extend new_column2 = 0
| sort by new_column2 desc;
let ipTable = datatable(IPAddress:string)
[
"192.168.1.10",
"10.0.0.5",
"172.16.0.20"
];
let x=ipTable
| extend new_column2 = 0
| sort by new_column2 desc
| extend rn=row_number()
|join kind=fullouter subnetTable on new_column2
|project-away rn,new_column2,new_column21;
let y = x
|mv-apply id= mylist to typeof(string) on (where ipv4_is_in_range(IPAddress,id))
|project-away mylist;
y
|join kind = fullouter x on IPAddress
|project-away IPAddress
|extend TESTCOL =iff(isempty(id),False,True)
|project-away id
Output:
If present in range then gives true else gives false.
- KQL: bag unpack json into single row
- Where is Update Policy failure logged
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Using Kusto scan operator to capture sequential pairs that meets criteria
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- Defining external table kind as delta
- Kusto query map through array
- java.io.UncheckedIOException: io.netty.channel.StacklessClosedChannelException while writing to adx
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property
- KustoIngestFactory fails to load dependent assembly at runtime with FileNotFoundException
- KQL: How to reference columns within a let query in the next query
- Create a function to calculate power of tens with a loop and reuse them in another query
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- Is it possible to update rows in Azure Data Explorer (Kusto)
- Kusto query for time between records by group in one result list
- Build a tree / run recursive query in Kusto Azure Data Explorer
- Where do Kusto dashboard definitions live
- Adding fixed delay to Update Policy execution
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- Grouping on the basis of cumulative sum