Forum Discussion

sulaimanncs915's avatar
sulaimanncs915
Copper Contributor
Mar 26, 2024

IOCs Watchlist

Hi All

 

I am looking to on how to use Watchlist and run it against all my log sources for example for IP address, HASH, Domain, URL for the last 90 days.

 

Could anyone advice on how to do is or is there any other way? 

investigation
KQL
siem

1 Reply

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Mar 27, 2024
    What type of Watchlist? e.g. will it be used to enrich the found data, so if the watchlist has 1.1.1.1 with a description column of "my web server" then the KQL will display a match

    The first example here helps with that https://learn.microsoft.com/en-us/azure/sentinel/watchlists#watchlists-in-queries-for-searches-and-detection-rules

    The challenge (could) be normalisation, in which case you will need to use the ASIM parsers where available. The issue with normalization is that many tables dont name things the same, so in one its IPAdress in another SrcIPaddr etc... If you have a few tables, then using a "union" in KQL maybe an option but for many tables it can be problematic.