Feb 25 2022 02:57 AM - edited Feb 25 2022 02:58 AM
Feb 25 2022 02:57 AM - edited Feb 25 2022 02:58 AM
Hi all,
can you help me to make a query to match IoC that i imported from a csv file in to a a watchlist?
My query at the moment is:
let Ioc = _GetWatchlist('ioc');
AzureActivity
| where CallerIpAddress != ''
| extend WhoDidIt = Caller, ResourceName = tostring(parse_json(Properties).resource)
| join Ioc on $left.CallerIpAddress == $right.SearchKey
| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, WhoDidIt, ResourceName, ResourceGroup
but my ioc list contains hash, domains, url and i wanto to integrate in my threat hunting query.
My ioc list has 2 columns ioc_type and ioc_value.
Thanks all,
Regards
Feb 25 2022 02:17 PM
SolutionFeb 25 2022 02:17 PM
Solution