Forum Discussion
Solved
Historical IOC searches
Hello everybody, I'm interested to understand how others approach this and what is perhaps considered the best practice for performing historical searches for IOC hits against the log data withi...
- Generally if you need a list you have two main choices, creating the IP Addresses or IOC in a Watchlist (or on Azure Storage) or creating a dynamic list as part of the query
https://docs.microsoft.com/en-us/azure/sentinel/watchlists
KQL example of a dynamic list
let IPList = dynamic(["216.24.185.74", "107.175.189.159","194.88.106.146"]);
ThreatIntelligenceIndicator
| where NetworkSourceIP in (IPList)
| summarize count() by NetworkSourceIP
Having a timeout 'suggests' there is some optimisation we can do, do you use the summarize command? Also see https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices
Generally if you need a list you have two main choices, creating the IP Addresses or IOC in a Watchlist (or on Azure Storage) or creating a dynamic list as part of the query
https://docs.microsoft.com/en-us/azure/sentinel/watchlists
KQL example of a dynamic list
let IPList = dynamic(["216.24.185.74", "107.175.189.159","194.88.106.146"]);
ThreatIntelligenceIndicator
| where NetworkSourceIP in (IPList)
| summarize count() by NetworkSourceIP
Having a timeout 'suggests' there is some optimisation we can do, do you use the summarize command? Also see https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices
https://docs.microsoft.com/en-us/azure/sentinel/watchlists
KQL example of a dynamic list
let IPList = dynamic(["216.24.185.74", "107.175.189.159","194.88.106.146"]);
ThreatIntelligenceIndicator
| where NetworkSourceIP in (IPList)
| summarize count() by NetworkSourceIP
Having a timeout 'suggests' there is some optimisation we can do, do you use the summarize command? Also see https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices