cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL "not in watchlist" not working

jams_k8
Copper Contributor

‎Jan 12 2023 10:10 AM - edited ‎Jan 12 2023 10:13 AM

‎Jan 12 2023 10:10 AM - edited ‎Jan 12 2023 10:13 AM

KQL "not in watchlist" not working

Hi, I am trying to create a query that will display SHA256 hashes of .XLL files that are known as malicious or unknown hashes, while ignoring known good hashes. I have created 2 watchlists, "good" and "bad" containing known good SHA256 hashes and known bad and my query uses the following logic:

 

 

let good_ = _GetWatchlist("good_xll") | project  SHA256;
let bad_ = _GetWatchlist("bad_xll") | project  SHA256;
DeviceImageLoadEvents
| where FileName endswith ".xll"
| where SHA256 !in(good_) or SHA256 in(bad_)

 

 

There should only be 1 result appearing because I created my own malicious test .xll file but instead, it shows up along with 1 or 2 other .xlls with hashes that are part of the "good" watchlist.

 

I have tested various methods and the only thing that ended up working was to manually create a list of strings within the query like: where SHA256 !in("hash1""hash2""hash3", etc...)

 

Thanks in advance and any suggestions of what I may be doing wrong?

Labels:
1,064 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Jan 13 2023 05:57 AM

‎Jan 13 2023 05:57 AM

Re: KQL "not in watchlist" not working

Are you have a case sensitivity issue, maybe try:

| where FileName endswith tolower(".dll")

or

| where SHA256!in~ (good_)
0 Likes
Reply
jams_k8

‎Jan 13 2023 08:14 AM

‎Jan 13 2023 08:14 AM

Re: KQL "not in watchlist" not working

@Clive_Watson 

Hi, I tried adding your suggestions but it is still displaying the items included in the watchlist.

 

I've attached a screenshot of my actual query and the watchlist I am using and as you can see, the resulting SHA256s are exact matches to that of the workbook. Suspicious file.xll is my test file that is being properly reported, but I can't seem to figure out why the SHA256s in the workbook are still being displayed

My queryMy query

Watchlist resultsWatchlist results

0 Likes
Reply