KQL Query for Match IoC from WatchList

Question

Hi All,&nbsp;I would like to create a Watchlist for Hashes, URLs, Domains and IPs.&nbsp;After that i would like to create a KQL query to search the watchlist.&nbsp;Kindly help.

cyb3rmik3 · Answer

sulaimanncs915&nbsp;hi,&nbsp;you may find a very good guide at the link below to start building your watchlists which includes a query as well:https://charbelnemnom.com/how-to-use-watchlist-in-azure-sentinel/#Create_a_hunting_query&nbsp;But, mentioning hashes, IPs, urls and domains, that statement alone includes many tables to look into. Can you be more specific?

sulaimanncs915 · Answer

hi how can i search palo alot firewall logs for source IP ? any query

samikroy · Answer

sulaimanncs915 - First you need find where the Palo Alto Firewall Logs are ingestion .
Lets say, it is ingested into CommonSecurityLog table , the query should be like

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct has "PAN-OS"
| where SourceIP == "<your IP address>"

Forum Discussion

KQL Query for Match IoC from WatchList

Share

Resources