cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query Returns Hardcoded values but not when Watchlist is used for partial match

abubakr786
Copper Contributor

‎Dec 14 2021 07:20 AM

‎Dec 14 2021 07:20 AM

Query Returns Hardcoded values but not when Watchlist is used for partial match

I am trying to create a usecase to partially match a text in a field and when that match also exists in a watchlist, but it only returns data when data is used hardcoded not when watchlist is placed!

QUERY WITH WATCHLIST: No data returned

let timeFrame = 1d;
let getExtensions = _GetWatchlist('EncryptedFileExtensions')
| project Extensions = ['FileExtensions']
;
Event
| where TimeGenerated >= ago(timeFrame)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == '11' or EventID == '15'
| where EventData in (getExtensions)
| parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' *
| where FilePathAndExt matches regex@'([\.]\w+)'
| summarize count() by FilePathAndExt

 

QUERY WITHOUT WATCHLIST: Returns Data

Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == '11' or EventID == '15'
| where EventData contains ".ods" or EventData contains ".rtf" or EventData contains ".odp"
| parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' *
| where FilePathAndExt matches regex@'([\.]\w+)'
| summarize count() by FilePathAndExt

 

Any suggestion would be highly appreciated!

294 Views
0 Likes
0 Replies
Reply
0 Replies