Query for IP External IP Addresses Only

Wilks · March 8, 2022, 1:29am

Hi,
I am trying to use a KQL query to search for non private (rfc1918) addresses. I am using the following query

AND NOT destination.ip:10.0.0.0/8 OR NOT destination.ip:192.168.0.0/16 OR NOT destination.ip :172.16.0.0/12

The issue is it works but some of the destination.ip results have no data. How do I write the query so that it just displays data where destination.ip : exists

Thanks

matw · March 8, 2022, 7:55am

Hi
Would using the filterbar for this purpose be an option?

Best,
Matthias

system · April 5, 2022, 7:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.