Forum Discussion
How to query in unknown columns?
CloudMe Ok. My take on this is to address this to Azure Sentinel team. There is already Malicious IP feature that is able to flag malicious IPs. It should work for Firewall logs, Wire Data and IIS logs. May be a few more. But it will be good if they make it work for all their logs they have connectors for. Trying to do this on your own will never be optimal or never good enough as Microsoft has internal service that is able to recognize these IPs. That service they use for Malicious IP. Additionally besides the IP being malicious they also feed you with other information like is it botnet, the country, etc.
Stanislav_Zhelyazkov Thanks for the input.
I thought it will be useful to have a way to scan a Workspace for malicious IPs without worrying about the possibility of missing a Table.
In larger organizations sources may be added to a Workspace without our prior knowledge of the table and its content, and thus the risk of missing a malicious event increases.
It can also help hunting for threats in a new and unfamiliar environment.
CloudMe Ok. My take on this is to address this to Azure Sentinel team. There is already Malicious IP feature that is able to flag malicious IPs. It should work for Firewall logs, Wire Data and IIS logs. May be a few more. But it will be good if they make it work for all their logs they have connectors for. Trying to do this on your own will never be optimal or never good enough as Microsoft has internal service that is able to recognize these IPs. That service they use for Malicious IP. Additionally besides the IP being malicious they also feed you with other information like is it botnet, the country, etc.