Searching IP CIDR Watchlist for an IP Address

[cybermohr]

I want to use a watchlist with IP CIDR ranges and search for an IP address in the watchlist. This is the code I am testing for this functionality:

---

let NetworkWatchlist = (_GetWatchlist('NetworkAddresses')
| project SearchKey
| summarize rangeList = make_list(SearchKey));
let MyIPAddress = '192.168.100.4';
NetworkWatchlist
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress, rangeList))

The watchlist contains "192.168.100.0/24". What I have noticed is that the string list that gets created looks like ["192.168.100.0/24"] so the ipv4_is_in_range does not find the IP in the list. If I substitute rangeList with 192.168.100.0/24 explicitly, it works. For example:

---

let NetworkWatchlist = (_GetWatchlist('NetworkAddresses')
| project SearchKey
| summarize rangeList = make_list(SearchKey));
let MyIPAddress = '192.168.100.4';
NetworkWatchlist
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress, '192.168.100.0/24'))

I think searching for an IP address in a Watchlist via CIDR would have been easy. This approach is very valuable. Not sure what I am missing.

[SQLtattoo]

Hi, is there a specific reason why you use the make_list() ?

I mean, you could rewrite the query like this:

let NetworkWatchlist = (_GetWatchlist('NetworkAddress')
| project rangeList = SearchKey //rename it to rangeList
| distinct rangeList); //instead of summarize to get the unique values I suppose
let MyIPAddress = '192.168.100.4';
NetworkWatchlist
| project MyIPAddress, tostring(rangeList)
| where (ipv4_is_in_range(MyIPAddress, rangeList))

I checked the above on my Sentinel environment and it worked like a charm.

HTH
Vassilis

[cybermohr]

Thank you @SQLtattoo. There was no particular reason. Was just struggling with examples. This works great.