Using KQL to search on subnets

Question

I want to search something for IP's coming from a specific set of subnets. Some query languages are smart enough to know a /24 is a subnet, but KQL is not. Is there an alternative to this? This is not what I'll be searching on, but for the sake of example let's say you want to search on SignIn logs but only from machines in the 192.168.1.0/24

Have you seen the new Compare and Match functions? ipv4_compare: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-comparefunction ipv4_match: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-matchfunction — rodtrent, May 11 '20 at 14:09

score 3 · Answer 1 · answered May 12 '20 at 05:34

3

Please check: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-matchfunction

datatable (ip:string)
[
 '192.168.1.64', // match
 '192.168.2.11', // no match
]
| where ipv4_is_match(ip, '192.168.1.0/24')

answered May 12 '20 at 05:34

Alexander Sloutsky

2,827
8
13

Using KQL to search on subnets

1 Answers1