Apr 12 2024 05:07 AM - edited Apr 12 2024 05:08 AM
Hi,
I have a watchlist with 50 IP address. I would need help to search the IPs in all tables regardless of the column in my L.A.W
Please help me with the KQL Query
Apr 16 2024 05:59 AM
Apr 18 2024 11:30 PM
Apr 19 2024 12:02 AM - edited Apr 19 2024 12:03 AM
@sulaimanncs915 sulaimanncs915 Sentinel has a query timeout limit of 10 minutes. Depending on your table size, you MAY be successful in executing the search() query. I believe you are doing IoC search, so if there are multiple hits for your IP and the table size is bigger then there will be a performance hit and your query may timeout as well
I would suggest to narrow down on every table which column has the data you want to look up and then perform the search on those columns. Basically you can have one main function and then subfunctions within it running the search for the individual tables
Check the following post:
https://techcommunity.microsoft.com/t5/microsoft-sentinel/kql-query-for-match-ioc-from-watchlist/m-p...
Apr 19 2024 02:58 AM