Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

KQL Query for Match IoC from WatchList

Deleted
Not applicable

Hi all,

can you help me to make a query to match IoC that i imported from a csv file in to a a watchlist?

My query at the moment is:

 

let Ioc = _GetWatchlist('ioc');
AzureActivity
| where CallerIpAddress != ''
| extend WhoDidIt = Caller, ResourceName = tostring(parse_json(Properties).resource)
| join Ioc on $left.CallerIpAddress == $right.SearchKey
| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, WhoDidIt, ResourceName, ResourceGroup

 

but my ioc list contains hash, domains, url and i wanto to integrate in my threat hunting query.

My ioc list has 2 columns ioc_type and ioc_value.

 

Thanks all,

Regards

1 Reply
best response
Solution
Have a look at this example here - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs...

This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e

let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;

Then search in your relevant data for the information using unions like in that example above

1 best response

Accepted Solutions
best response
Solution
Have a look at this example here - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs...

This has a few different types of IOCs, in this example they are just a list which is cast as a variable but with your example you can use your watchlist as the source, i.e

let domains= _GetWatchlist('ioc') | where ioc_type == "domains" | project ioc_type;
let hashes= _GetWatchlist('ioc') | where ioc_type == "hashes" | project ioc_type;

Then search in your relevant data for the information using unions like in that example above

View solution in original post