Forum Discussion
IOC's cross custom tables
Hi CliveWatson when using the above query i am trying to search across multiple tables at once and see if there is a match for any relevant IOC 1. i am managing several lists: IP. Hash. URL etc an...
Ofer_Shezaf
Microsoft
Microsoft
If I understand Omri's question correctly, it is about getting the category and campaign associated once a match is found. The answer is to join the result set of the union on the IP address. A few implementation guidelines:
- You need to keep the TI table and not make a list out of it. The "let IoCs" line should not work as-is and assume TI is still a table.
- As Clive mentions, assigning the relevant IP to a common field such as NormalizedIP is needed for that.
A few additional differences worth mentioning between your two versions:
- Clive is using "isfuzzy=true," which is recommended (thanks Clive) as otherwise, if any of the parts of the union has an error, the all thing fails.
- OmriPinsker : If your external list includes values that are not IP addresses, please filter them out when creating IoCs.
- The difference between using let statements and or not using it should not make a difference. CliveWatson : I wonder if you see an advantage either way apart from style?
Hi CliveWatson
when trying to add to the query additional external data such as https://openphish.com/feed.txt
as there is no deceleration of the column names in the feed i am unable to determine what is the proper syntax of adding this.
let openphish = externaldata ( domain:string) ([@"https://openphish.com/feed.txt"] with (format="txt"));
- I cant make that file open with externaldata - do you also get a Query Aborted error?
- Ofer_Shezaf
OmriPinsker : My guess is that openpish has some protection mechanism in place that blocks externaldata. As a long shot, you may want to check with them, however using Logic Apps to copy it daily to Azure storage would be easier.
