Forum Discussion
KQL Query for Match IoC from WatchList
Hi all, can you help me to make a query to match IoC that i imported from a csv file in to a a watchlist? My query at the moment is: let Ioc = _GetWatchlist('ioc'); AzureActivity | where Call...
- Have a look at this example here - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml
This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e
let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;
Then search in your relevant data for the information using unions like in that example above
Have a look at this example here - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml
This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e
let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;
Then search in your relevant data for the information using unions like in that example above
This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e
let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;
Then search in your relevant data for the information using unions like in that example above