User Profile
abubakr786
Copper Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Query Returns Hardcoded values but not when Watchlist is used for partial match
I am trying to create a usecase to partially match a text in a field and when that match also exists in a watchlist, but it only returns data when data is used hardcoded not when watchlist is placed! QUERY WITH WATCHLIST: No data returned let timeFrame = 1d; let getExtensions = _GetWatchlist('EncryptedFileExtensions') | project Extensions = ['FileExtensions'] ; Event | where TimeGenerated >= ago(timeFrame) | where Source == "Microsoft-Windows-Sysmon" | where EventID == '11' or EventID == '15' | where EventData in (getExtensions) | parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' * | where FilePathAndExt matches regex@'([\.]\w+)' | summarize count() by FilePathAndExt QUERY WITHOUT WATCHLIST: Returns Data Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == '11' or EventID == '15' | where EventData contains ".ods" or EventData contains ".rtf" or EventData contains ".odp" | parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' * | where FilePathAndExt matches regex@'([\.]\w+)' | summarize count() by FilePathAndExt Any suggestion would be highly appreciated!Re: Partial match with contains using watchlist
Clive_Watson I did as you suggested but it doesnt seem to be returning any data, does in looks for matching partial data in the field like contains in this scenario? Modified query is: However when I do so withouth watchlists the extensions exists and results are shown: What could be the issue here?Partial match with contains using watchlist
I am trying to create an alert when specific file extensions are found in any system, an alert is triggered. For which I have file extensions in a watchlist, I want to write a query that reads data from the file creation event in sysmon and matches each extension with those in the watchlist if any of them exists in the watchlist an alert will be triggered. So far this is what I am able to process, which is retuning an error saying, Tabular expression is not expected in the current context. Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == '11' or EventID == '15' | where EventData contains _GetWatchlist('EncryptedFileExtensions') | parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' * | where FilePathAndExt matches regex@'([\.]\w+)' | project EventID, FilePathAndExt Any help would be appreciated, new to Kusto QueryRe: Unable to utilize logics apps to feed data in a watchlist
GaryBushey This is what I asked, When you use the Logic app action to load an entity then you can access the raw (JSON) data that has been returned since no value returned, I couldn't find the what is actually not returning the data. Is there any blog or documentation available of the implementation that you can share? All I need is to add an item in the custom watchlist doesnt matter what the trigger is.Re: Unable to utilize logics apps to feed data in a watchlist
GaryBushey What I meant to ask was that at any part in the logic app does the input/output in raw contains the fetched value of an entity which is the exact value of the entity that is added to the watchlist. Please also share if the query being used to trigger certain alert/incident requires projection or retrieval of entities those are added in watchlists, however the values required by Get action are part of the payload of the event.Re: Unable to utilize logics apps to feed data in a watchlist
Hey GaryBushey I've attached the details for each loop picture, along with the input-output run details for Get_Account and For each loop for Get_Account. There is an input and output link for Get_Account, Also an input link for for_each loop for Account but it has no output link. I guess that would be the issue where I need help, pictures attacher for reference.Unable to utilize logics apps to feed data in a watchlist
Hey, I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this. TIA
