call all watchlist column entity in incident.

Question

We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 column like IPAddress, MalwareName, Provider. So we have projected in watchlist only "IPAddress" in analytical rule. but we want IPAddress along with MalwareName, Provider in incident.

Can someone help to regarding KQL for above situation ?

gbushey · Answer

You will not be able to have anything in the incident that is not part of the analytic rule unless you add it as a comment later.  I would suggest having all that information added as entities (or at least one entity that is a JSON array) so you can access it in the Incident itself.

akshay250692 · Answer

GBushey&nbsp;&nbsp;This is below query .&nbsp;let Watchlist = (_GetWatchlist('xyz')| project SearchKey);DeviceNetworkEvents| where LocalIP in (Watchlist) or RemoteIP in (Watchlist)&nbsp;below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.&nbsp;

gbushey · Answer

Get rid of the "project" statement if you want to see all the columns.  The "project" statement will only show those columns that are included as part of the statement ("SearchKey" in this case)

akshay250692 · Answer

GBushey&nbsp;&nbsp;I am getting below error.&nbsp;

gbushey · Answer

They way you have your code written, it is looking for "SearchKey" as part of the "DeviceNetworkEvents" table rather than the watchlist.  You would need to do a join or a union to have that field show up in your results.

Forum Discussion

call all watchlist column entity in incident.

Share

Resources