Forum Discussion
Looking for Correct Syntax for below Kql Query with multiple and or conditions
Trying to generate alert where more than 10 txt request has been sent in 5 min or where bas64 encoded data has been sent in txt or AAAA record of DNS
| where (count_ >= 10 and TimeSpan <= timespan(00:05:00) and RecordType == "TXT") or
where [(Domain matches regex "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$")
and strlen(Domain)>40 and where (RecordType == "TXT" or RecordType == "AAAA")]
1 Reply
Maybe something like this?
let fakeCount = 10; DnsEvents | where (fakeCount <= 10 and TimeGenerated < ago(5m) and QueryType =='AAAA') or (Name matches regex "[A-Za-z0-9]$" and strlen(Name)>10 and QueryType in ('AAAA','TXT'))
