I’m currently working with KQL and I need to make some sort of list or table that holds hundreds of malicious IP values. I’m really new to KQL and InfoSec in general, so I was wondering if there’s a way that I can create some sort of data table of IPs that I can call on in various queries.
Here is an example of the kind of data table I’m working with:
let ipAddresses = datatable(IPAddress:string)
[
"62.86.18.86",
"8.211.111.53",
"14.178.141.190"
];
Essentially, I want this to be stored in a separate query, and then be able to call this data table anytime I need it. For example, If I wanted to be able to use this data table in a separate query to be able to check if any one of these IPs had a successful sign in on a user’s account.
I have tried copying and pasting these long lists of IPs in every query I make, but that seems to be very inefficient. The problem becomes that if one query’s data table is updated, all queries who also use that data table must also be updated. I’m looking for this table to be more centralized (if that makes sense).
You need to sign in to view this answers
