Forum Discussion
Looking for Correct Syntax for below Kql Query with multiple and or conditions
Trying to generate alert where more than 10 txt request has been sent in 5 min or where bas64 encoded data has been sent in txt or AAAA record of DNS | where (count_ >= 10 and TimeSpan <= timespa...
Maybe something like this?
let fakeCount = 10;
DnsEvents
| where
(fakeCount <= 10 and TimeGenerated < ago(5m) and QueryType =='AAAA')
or
(Name matches regex "[A-Za-z0-9]$" and strlen(Name)>10 and QueryType in ('AAAA','TXT'))