Forum Discussion
Searching for all IOC's or different types in all logs(?) and maybe via file for import?
Hi everyone!
I am sure there have been similar questions, but sadly, I am not really finding anything of clear and specific enough to implement in any practical way.
I would like to:
- Scan for IOC's.
- These IOC's can be multiple types (Hashes (MD5, SHA1,SHA256), IP's, url's, or files etc)
- These IOC's can be multiple types (Hashes (MD5, SHA1,SHA256), IP's, url's, or files etc)
- Scan for them in all relevant systems/Tables. (I have available: Alerts,Apps/Identities,Email & Collaboration, Devices, Threat & Vul. Management)
- Potentially also, rather than copy/paste into the query-editor, can it be done by placing into a file (any-type such as txt or csv for example), and then reference that in the query to obtain the many types of IOC's???
Thanks in advance you guru's!
2 Replies
- Rod_Trent
Microsoft
Deleted I hope I caught your meaning entirely...but...
If you have the list of IOCs
1. You can store the IOCs in an external file and use the externaldata operator: externaldata operator - Azure Data Explorer | Microsoft Docs
2. Using the search operator allows you to search all tables at once: search operator - Azure Data Explorer | Microsoft Docs
3. You can save your queries in the UI to run them again later.
Rod_Trent
Thanks, I will have a play and see what happens!
Amazing that this wasn't as easy to find by searching 🙂
