I'm trying to join syslog with the threat intelligence indicator. This is what i have so far:
| extend NetworkIP = SyslogMessage
| join ThreatIntelligenceIndicator on NetworkIP
| where Active == true
| summarize by TimeGenerated, Url, ThreatType, NetworkIP
The issue is that I'm trying to match the IP's that are within the SyslogMessage to the ThreatIntelligenceIndicator malicious IPs and since there are a lot of words before the actual IP's within the syslogmessage, I'm not going to get any hits. Can someone please point me to the right direction?
Syslogmessage can be in a few different formats depending on the Vendor. This example uses an extract to find the value after "dst=" (the destination IP), you will have to adapt for your string/format.