Forum Discussion
Searching Historical Logs for Threat Intelligence Matches.
See if this works.
First, define a variable that will contain a list of all the URLs in the threat indicator table.
let TIUrls = toscalar(ThreatIntelligenceIndicator
| summarize make_set(Url));
Then, you use mv-apply to compare the URL value against each indicator in the variable above.
Table //Table that contains the traffic logs
| summarize by URL
| where isnotempty(URL)
| mv-apply l=TIUrls to typeof(string) on
(where URL contains l)
Thanks for you suggestion. I tried it and it works in a sense. It doesn't throw any errors, but I need to know which URLs from the Threat Intelligence list was matched, is there a way to output them side by side, kind of like the Join operator.
If you want to compare identical columns, the template JBUB_Accelerynt posted looks fine.
If you want to check your logs against a list of URLs/DomainNames, then you would probably need to use the solution I listed.
When using mv-apply, the matched indicator URLs will be stored in the l column, when there are matches.
If you want to show all the info of the entry in the Threat indicator table, you can add the join bit below.
let TIUrls = toscalar(ThreatIntelligenceIndicator | summarize make_set(Url)); | mv-apply l=TIUrls to typeof(string) on (where URL contains l) | join ThreatIntelligenceIndicator on $left.l=$right.UrlThe query I created is comparing with the Url field of the threat intelligence indicators, but if you want to compare with DomainNames instead, you can edit row 2 and 5, and change the "Url" for "DomainName".
let TIUrls = toscalar(ThreatIntelligenceIndicator | summarize make_set(DomainName)); | mv-apply l=TIUrls to typeof(string) on (where URL contains l) | join ThreatIntelligenceIndicator on $left.l=$right.DomainName