Forum Discussion
IOCs Watchlist
Hi All I am looking to on how to use Watchlist and run it against all my log sources for example for IP address, HASH, Domain, URL for the last 90 days. Could anyone advice on how to do is or...
What type of Watchlist? e.g. will it be used to enrich the found data, so if the watchlist has 1.1.1.1 with a description column of "my web server" then the KQL will display a match
The first example here helps with that https://learn.microsoft.com/en-us/azure/sentinel/watchlists#watchlists-in-queries-for-searches-and-detection-rules
The challenge (could) be normalisation, in which case you will need to use the ASIM parsers where available. The issue with normalization is that many tables dont name things the same, so in one its IPAdress in another SrcIPaddr etc... If you have a few tables, then using a "union" in KQL maybe an option but for many tables it can be problematic.
The first example here helps with that https://learn.microsoft.com/en-us/azure/sentinel/watchlists#watchlists-in-queries-for-searches-and-detection-rules
The challenge (could) be normalisation, in which case you will need to use the ASIM parsers where available. The issue with normalization is that many tables dont name things the same, so in one its IPAdress in another SrcIPaddr etc... If you have a few tables, then using a "union" in KQL maybe an option but for many tables it can be problematic.