cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL Query for Match IoC from WatchList

sulaimanncs915
Copper Contributor

‎Dec 20 2023 05:38 PM

‎Dec 20 2023 05:38 PM

KQL Query for Match IoC from WatchList

Hi All,

 

I would like to create a Watchlist for Hashes, URLs, Domains and IPs.

 

After that i would like to create a KQL query to search the watchlist.

 

Kindly help.

Labels:
329 Views
0 Likes
3 Replies
Reply
3 Replies
cyb3rmik3

‎Dec 20 2023 10:38 PM

‎Dec 20 2023 10:38 PM

Re: KQL Query for Match IoC from WatchList

@sulaimanncs915 hi,

 

you may find a very good guide at the link below to start building your watchlists which includes a query as well:

https://charbelnemnom.com/how-to-use-watchlist-in-azure-sentinel/#Create_a_hunting_query

 

But, mentioning hashes, IPs, urls and domains, that statement alone includes many tables to look into. Can you be more specific?

0 Likes
Reply
sulaimanncs915

‎Dec 26 2023 07:49 PM

‎Dec 26 2023 07:49 PM

Re: KQL Query for Match IoC from WatchList

hi how can i search palo alot firewall logs for source IP ? any query
0 Likes
Reply
samikroy

‎Dec 29 2023 05:52 AM

‎Dec 29 2023 05:52 AM

Re: KQL Query for Match IoC from WatchList

@sulaimanncs915 - First you need find where the Palo Alto Firewall Logs are ingestion .
Lets say, it is ingested into CommonSecurityLog table , the query should be like

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct has "PAN-OS"
| where SourceIP == "<your IP address>"
0 Likes
Reply