Hi Community,
My "ThreatIntelligenceIndicator" table stores rows of NetworkCidrBlock as indicators.
I need to query "CommonSecurityLog" table against the indicator table on any DestinationIP that matches any value in NetworkCidrBlock column.
I understand the function ipv4_is_match() can check if an IP is within a Cidr block. So I tried to use it for ip to cidr correlation between the two tables... something like the following but it gave me error: join can only work on column entity or equality expression like $left.DestinationIP == $right.NetworkIP.
CommonSecurityLog
| where TimeGenerated >= ago(2h) and not(ipv4_is_private(DestinationIP))
| join (ThreatIntelligenceIndicator
| where ExpirationDateTime > now() and Active == true and NetworkIP != ''
) on ipv4_is_match($left.DestinationIP, $right.NetworkCidrBlock)
If there's any work around that allows me to correlate ips in the log with CidrBlock, please share!
Thanks in advance!