ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 18 • Using in to Search Multiple Indicators

Using in to Search Multiple Indicators

Investigations often start with more than one clue.
Two suspicious IP addresses.
Three domains.
Several users.
A small list of devices.

Typing the same where line again and again quickly becomes messy.

In this Agent Foskett Academy lesson, you will learn how defenders use the KQL in operator to search for multiple indicators at once and keep Microsoft Defender XDR and Sentinel investigations clean, focused and repeatable.

Start Lesson 18 Back to Academy
Agent Foskett Academy lesson explaining how to use in to search multiple indicators with KQL
Lesson overview

Learn how to search multiple users, IP addresses, domains and devices with cleaner KQL instead of building long chains of OR conditions.

Use in for multiple values
Search indicator lists
Keep investigations readable
🔎 One query can search many clues.
The in operator helps defenders search multiple indicators without turning the query into a wall of repeated OR statements.
Review Lesson 17 →

Why the in operator matters

In real investigations, defenders rarely search for only one value.

You may need to search for several IP addresses from a phishing kit, multiple domains from a suspicious email campaign or a short list of users who received the same message.

The in operator lets you compare one column against a list of values.
Cleaner queriesUse one list instead of repeating the same column comparison many times.
Better indicator searchesSearch users, devices, IP addresses, domains, URLs or file hashes from one investigation list.
Easier updatesAdd or remove indicators from the list without rewriting the whole query.

Investigation scenario

A phishing investigation has produced three suspicious sender domains and two suspicious IP addresses.

The analyst wants to search Microsoft Defender XDR telemetry for matching activity without writing a long and messy query.

Step 1 — The messy way with OR

This works, but it becomes difficult to read as the indicator list grows.
messy-or-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain == "contoso-login.com"
    or SenderFromDomain == "secure-contoso.net"
    or SenderFromDomain == "account-review.org"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction

Step 2 — The cleaner way with in

The in operator checks whether a field matches any value in the list.
clean-in-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain in ("contoso-login.com", "secure-contoso.net", "account-review.org")
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction

Step 3 — Use in with a let statement

For longer investigations, store the indicator list in a let statement so it is easier to manage.
indicator-list-with-let.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let suspiciousDomains = dynamic(["contoso-login.com", "secure-contoso.net", "account-review.org"]);
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain in (suspiciousDomains)
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction
| sort by Timestamp desc

What in does

The in operator returns rows where the selected field matches one of the values in the list.

Think of it as asking: does this value appear in my investigation list?
Column firstPlace the field you want to test on the left side, such as SenderFromDomain or RemoteIP.
List secondPlace the values you want to match inside brackets, a dynamic list or a reusable let statement.
Exact matchingUse in when you are searching for known values rather than partial text patterns.

Step 4 — Search multiple IP addresses

Use the same approach when investigating known suspicious IP addresses.
multiple-ip-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let suspiciousIPs = dynamic(["203.0.113.10", "198.51.100.25"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (suspiciousIPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, InitiatingProcessFileName
| sort by Timestamp desc

Step 5 — Search multiple users

You can also use in when several users are part of the same investigation.
multiple-user-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let targetUsers = dynamic(["user1@contoso.com", "user2@contoso.com", "user3@contoso.com"]);
UrlClickEvents
| where Timestamp > ago(7d)
| where AccountUpn in (targetUsers)
| project Timestamp, AccountUpn, Url, ActionType, ThreatTypes
| sort by Timestamp desc

Step 6 — Use !in to exclude known safe values

The opposite of in is !in. This is useful when you want to remove known safe values from the results.
exclude-known-safe-values.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let trustedDomains = dynamic(["contoso.com", "microsoft.com", "office.com"]);
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain !in (trustedDomains)
| summarize EmailCount = count() by SenderFromDomain
| sort by EmailCount desc

Investigator notes

Use in when you already know the exact values you want to search for.

If you are looking for partial text, patterns or words inside longer strings, operators such as contains or has may be a better fit.
Great for indicatorsUse in for known users, devices, IP addresses, domains, file hashes and exact values.
Avoid huge messy listsIf the list becomes very large, consider using a watchlist or external table in Sentinel.
Combine with letLet statements make indicator lists easier to reuse across multiple tables and investigation steps.
🎓 Agent Foskett Academy — Search the whole clue list
You now understand how to use in and !in to search or exclude multiple values in KQL investigations.
Return to Academy

What you learned

In this lesson, you learned how to use the KQL in operator to search multiple indicators.
Using inSearch one field against a list of known investigation values.
Using !inExclude known safe values so suspicious activity is easier to review.
Using indicator listsCombine in with let and dynamic lists to make Microsoft Defender XDR investigations cleaner.

Continue your investigation

The next step is learning how to use case statements to classify investigation results and make findings easier to understand.
Agent Foskett Academy Return to the full Academy learning path and review earlier KQL foundation lessons.
Creating Investigation Parameters with KQL Review how reusable parameters help make indicator searches easier to change and repeat.

Continue learning with Using let Statements to Reuse Evidence, Building Investigation Timelines, KQL Threat Hunting Guide, UrlClickEvents and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Using in to Search Multiple Indicators

Agent Foskett Academy Lesson 18 teaches defenders how to use the KQL in operator to search multiple users, domains, IP addresses, devices and other investigation indicators.

Learn KQL in operator for Microsoft Defender XDR

The KQL in operator helps analysts search known indicator lists across Microsoft Defender XDR and Microsoft Sentinel telemetry without writing long chains of OR conditions.

KQL multiple indicator search lesson for Microsoft security analysts

This Agent Foskett Academy lesson explains how to use in, !in, let statements and dynamic lists to make Microsoft security investigations cleaner and easier to repeat.