Advanced Threat Hunting - Exclusion by two (or more) conditions

Copper Contributor



I am searching for a possibility of excluding entries based on two conditions been met.


For now I was excluding things with (examples):

let InitiatingProcessCommandLineExclude = dynamic(['\"blalbabllbaa.blablaa\"']);


let cmd_list = pack_array('/""');
let cmd_regex = strcat("(^", strcat_array(cmd_list, ")|("), ")");


#then doing for example

let cmdExclusion = RemoteUrlExclusion | where InitiatingProcessCommandLine matches regex cmd_regex;

Table | join kind=leftanti cmdExclusion on InitiatingProcessCommandLine

| project blablalba

| order blalbalbbala


Though now I've run into entries that would be most easily excluded if I could set two conditions that exclude them (one is not enough because it would exclude too much - don't wanna lose precious data)


Do you have any ideas what could I do?

I think I'm having narrow vision problems here



Since there are still no replies, I though about that and it is possible to:


1. Create new table based on events we want to filter

2. Create 2 new arrays, store conditions that we need inside, 

optionally uses 'matches regex'

3. Filter like that table 1 | where Column1 matches 1st array | where Column2 matches 2nd array

4.  filter out events by leftanti join from your 'main' table by joining this new table


or filter by one condition, put that out into new table, filter by second condition


simple enough, my mind was clouded for a while, gonna try it and tell anyone who could look for it how it works



Well, the problem is still how to be able to do it en-masse, without creating lots of new tables.

Or it has no effect on query efficiency/cpu load? Then maybe creating lots of tables and then doing anti-joins is the way... Though it complicates the query a lot - creating tables for every item that I want to exclude based on 2 conditions...

0 Replies