A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?
Trap 1: has_any(SigninIP, dynamic(['192.168.0.0/16']))
has_any is for substring matching, not for CIDR range evaluation.
Trap 2: ipv4_is_private(SigninIP)
This checks if the IP is in any private range (RFC1918), not against a specific range.
Trap 3: SigninIP startswith '192.168.'
String prefix matching works only for /16 ranges and fails for subnets like /24.
- A
ipv4_is_in_range(SigninIP, '192.168.0.0/16')
Correct. This function directly checks if the IP is within the given CIDR range.
- B
has_any(SigninIP, dynamic(['192.168.0.0/16']))
Why wrong: has_any is for substring matching, not for CIDR range evaluation.
- C
ipv4_is_private(SigninIP)
Why wrong: This checks if the IP is in any private range (RFC1918), not against a specific range.
- D
SigninIP startswith '192.168.'
Why wrong: String prefix matching works only for /16 ranges and fails for subnets like /24.