Forum Discussion
KQL Query for Match IoC from WatchList
Hi All, I would like to create a Watchlist for Hashes, URLs, Domains and IPs. After that i would like to create a KQL query to search the watchlist. Kindly help.
cyb3rmik3
Microsoft
Microsoftsulaimanncs915 hi,
you may find a very good guide at the link below to start building your watchlists which includes a query as well:
https://charbelnemnom.com/how-to-use-watchlist-in-azure-sentinel/#Create_a_hunting_query
But, mentioning hashes, IPs, urls and domains, that statement alone includes many tables to look into. Can you be more specific?
hi how can i search palo alot firewall logs for source IP ? any query
- sulaimanncs915 - First you need find where the Palo Alto Firewall Logs are ingestion .
Lets say, it is ingested into CommonSecurityLog table , the query should be like
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct has "PAN-OS"
| where SourceIP == "<your IP address>"
