Aug 10 2022 04:55 AM
Hi Team,
Please help me to resolve this issue. We have created one playbook for outbound traffic to ThreatIntel. But after sometime it is giving blank excel sheet. Before it provide 2-3 times result in a week but now we are not getting any output from this playbook from long time. If we run this query then msg will show " The query couldn’t be processed in less than 10 minutes, which might happen when large volumes of old data are retrieved.
Try running the query again". This is scheduled on daily basis.
Please find query for this.
let deviceIP = (_GetWatchlist('manufacturingFirewalls') | project SearchKey);
ThreatIntelligenceIndicator
| where ExpirationDateTime > now()
| where Active == true
| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkDestinationIP)
| extend entity_threat_IP = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend entity_threat_IP = iff(isnotempty(entity_threat_IP) and isnotempty(NetworkSourceIP), NetworkSourceIP, entity_threat_IP)
| join(
workspace(".....").CommonSecurityLog
|union workspace("....").CommonSecurityLog, workspace("..........").CommonSecurityLog, workspace("...........").CommonSecurityLog, workspace("..........").CommonSecurityLog
| where TimeGenerated > now()-7d
| where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" and Activity =~ "traffic"
| where DeviceAction !in ("reset-both", "deny", "reset-server", "reset-client")
| where DeviceCustomString5 in~ ("outside","Outside","Outside-ISP2", "untrust", "PRISMA_INSIDE")
| where Computer !in (deviceIP)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
) on $left.entity_threat_IP == $right.DestinationIP
| where CommonSecurityLog_TimeGenerated > TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
| project TrafficTimestamp = CommonSecurityLog_TimeGenerated, SourceIP, SourceTranslatedAddress, Source_Port=strcat(SourcePort), SourceUserName, DestinationIP, Destination_port=strcat(DestinationPort), ApplicationProtocol, Firewall_Action = DeviceAction, Packets= DeviceCustomNumber2, Rule= DeviceCustomString1, Firewall =Computer, IOC_Tag = Tags, IOC_Expiration = ExpirationDateTime, IOC_Source = Description
Aug 10 2022 11:58 AM
Aug 11 2022 03:15 AM
Aug 11 2022 04:35 AM
Aug 11 2022 04:58 AM
Aug 11 2022 05:34 AM
Here you can see the two lines above the arrow that match you query, then you can add either of my suggestions where the arrow is. Later lines will fail as the columns needed wont be there so, you should removed for testing lines after the join
I'd do some testing with a reduce set of KQL, something like this to get this section optimized
let deviceIP = dynamic (['fakeComputer']);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" //and Activity =~ "traffic"
| where DeviceAction !in ("reset-both", "deny", "reset-server", "reset-client")
//| where DeviceCustomString5 in~ ("outside","Outside","Outside-ISP2", "untrust", "PRISMA_INSIDE")
| where Computer !in (deviceIP)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
// use this
//| summarize count(), make_set(SourceIP) by Computer, DeviceAction, bin(CommonSecurityLog_TimeGenerated,1d)
//or maybe this
| summarize count(), make_set(SourceIP), arg_max(CommonSecurityLog_TimeGenerated, Computer) by DeviceAction
Aug 11 2022 06:02 AM
Aug 11 2022 06:10 AM
Aug 11 2022 06:32 AM