Mar 22 2023 06:00 AM
We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 column like IPAddress, MalwareName, Provider. So we have projected in watchlist only "IPAddress" in analytical rule. but we want IPAddress along with MalwareName, Provider in incident.
Can someone help to regarding KQL for above situation ?
Mar 23 2023 10:52 AM
Mar 28 2023 03:55 AM
This is below query .
let Watchlist = (_GetWatchlist('xyz')
| project SearchKey);
DeviceNetworkEvents
| where LocalIP in (Watchlist) or RemoteIP in (Watchlist)
below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.
Mar 28 2023 04:03 AM
Mar 28 2023 04:25 AM
Mar 28 2023 04:29 AM