cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

call all watchlist column entity in incident.

akshay250692
Brass Contributor

‎Mar 22 2023 06:00 AM

‎Mar 22 2023 06:00 AM

call all watchlist column entity in incident.

We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 column like IPAddress, MalwareName, Provider. So we have projected in watchlist only "IPAddress" in analytical rule. but we want IPAddress along with MalwareName, Provider in incident.

 

Can someone help to regarding KQL for above situation ?

Labels:
665 Views
0 Likes
5 Replies
Reply
5 Replies
GBushey

‎Mar 23 2023 10:52 AM

‎Mar 23 2023 10:52 AM

Re: call all watchlist column entity in incident.

You will not be able to have anything in the incident that is not part of the analytic rule unless you add it as a comment later. I would suggest having all that information added as entities (or at least one entity that is a JSON array) so you can access it in the Incident itself.
0 Likes
Reply
akshay250692

‎Mar 28 2023 03:55 AM

‎Mar 28 2023 03:55 AM

Re: call all watchlist column entity in incident.

@GBushey 

 

This is below query .

 

let Watchlist = (_GetWatchlist('xyz')
| project SearchKey);
DeviceNetworkEvents
| where LocalIP in (Watchlist) or RemoteIP in (Watchlist)

 

below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.

akshay250692_0-1680000796799.png

 

0 Likes
Reply
GBushey

‎Mar 28 2023 04:03 AM

‎Mar 28 2023 04:03 AM

Re: call all watchlist column entity in incident.

Get rid of the "project" statement if you want to see all the columns. The "project" statement will only show those columns that are included as part of the statement ("SearchKey" in this case)
0 Likes
Reply
akshay250692

‎Mar 28 2023 04:25 AM

‎Mar 28 2023 04:25 AM

Re: call all watchlist column entity in incident.

@GBushey 

 

I am getting below error.

akshay250692_0-1680002674141.png

 

0 Likes
Reply
GBushey

‎Mar 28 2023 04:29 AM

‎Mar 28 2023 04:29 AM

Re: call all watchlist column entity in incident.

They way you have your code written, it is looking for "SearchKey" as part of the "DeviceNetworkEvents" table rather than the watchlist. You would need to do a join or a union to have that field show up in your results.
0 Likes
Reply