KQL Query for Match IoC from WatchList

Not applicable

Hi all,

can you help me to make a query to match IoC that i imported from a csv file in to a a watchlist?

My query at the moment is:


let Ioc = _GetWatchlist('ioc');
| where CallerIpAddress != ''
| extend WhoDidIt = Caller, ResourceName = tostring(parse_json(Properties).resource)
| join Ioc on $left.CallerIpAddress == $right.SearchKey
| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, WhoDidIt, ResourceName, ResourceGroup


but my ioc list contains hash, domains, url and i wanto to integrate in my threat hunting query.

My ioc list has 2 columns ioc_type and ioc_value.


Thanks all,


1 Reply
best response
Have a look at this example here -

This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e

let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;

Then search in your relevant data for the information using unions like in that example above