Searching Historical Logs for Threat Intelligence Matches.
Hello all, I was just wondering what the best or most efficient way to search logs for threat intelligence IOCs was, I saw a previous post explaining how to do it if you would like to search a large amount of values via watchlist but I would like to do it only for threat intelligence IOCs, I have a search below that works for IP addresses and can also be applied to file hashes. ThreatIntelligenceIndicator | where isnotempty(NetworkIP) | summarize by ThreatIntelIP=NetworkIP | join ( Network_MetaParser | where isnotempty(SrcIpAddr) | summarize by SrcIpAddr, DstIpAddr, EventProduct, DvcAction, DstPortNumber, NetworkProtocol, TimeGenerated ) on $left.ThreatIntelIP == $right.DstIpAddr My question is regarding URL/Domain names. How do I search my logs for any URLs/domains that match or contain the URL/Domain values from threat intelligence. I've tried doing something like the below but it doesn't seem to work. Any suggestions would be greatly appreciated! | summarize by URL | where isnotempty(URL) | where URL has_any (ThreatIntelligenceIndicator)
Escape character in KQL?
Hello guys, I have a problem where I'm unable to escape characters in my KQL query. We are ingesting some custom windows event logs that are being "normalized" in XML format. However, when sentinel normalizes these events, it puts all of them nested fields. Does this for some of the Azure logs as well. However, usually I can retrieve some data from those by using the following query AzureActivity | where OperationName == "signin" | expand Identity == OperationName.AdditionalFields.LoginIdentity So basically using the expand I extract identity field that is nested within other 2 fields. This works fine, however, the log I'm working with has numbers as field. So when I try the same thing but with AzureActivity | where OperationName == "signin" | expand Identity == OperationName.01.LoginIdentity It errors, it doesn't like that "01" part and query wont run, not that because 01 doesn't exist because it does but because its an integer? not sure. So I am trying to escape the "01" part. See below for the log example that might help explaining So in the image above, I want to extract fields like operation, processIdentity etc. So then I can use this fields for further filtering or use it to build a workbook. So then in my query I can say, WindowsEvent | where EventID = "7777" | where processIdentity = "identity" any help apricated 🙂
Combine 2 columns in Single coulmn in KQL
Hi , I have data in sign-in logs as username and location, I want to combine username, location columns and add it to 3rd column. How I can do it in KQL. I have data like- User Name Location User-1 IN User-2 US User-3 GB User-4 MX I want it like following- User Details User-1 - IN User-2 - US User-3 - GB User-4 - MX
KQL query in sentinel for users first activity
Hi all, since I am new to writing queries I would really appreciate your help. I need to write a query that will show a specific users first activity and last activity in a day. I need to also project which activity it was and to sum it all up, I need the results to be in a row for each day. I would really appreciate any suggestions or help. Thank youKusto query question, expanding multi-row, getting values from named keys
I want to query the OfficeActivity table and pull out values from the Parameters field. The field is a JSON string, so i know i need to convert to to Dynamic, and then i need to get values for Identity and User etc. I do not know what position the Identity and User appear so i cannot use normal [0] or [1] indexing. I would like the end result to be something like this. TimeGenerated Operation UserId Paramters.Identity Parameters.User Parameters.AccessRights x/x/x/ Add-MailboxPermission Bob John Peter FullAccess
Integration of Microsoft Sentinel & Microsoft TEAMS for integration of alerts
What are some of the best methods and strategies to start implementing an integration between Sentinel and TEAMS where when there are certain instances or alerts occurring, said alerts can be pinged to certain members on Microsoft TEAMS like through the use of playbooks, automations and setting up a API connection to integrate the two.
