cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IOCs Watchlist

sulaimanncs915
Copper Contributor

‎Mar 26 2024 08:00 PM

‎Mar 26 2024 08:00 PM

IOCs Watchlist

Hi All

 

I am looking to on how to use Watchlist and run it against all my log sources for example for IP address, HASH, Domain, URL for the last 90 days.

 

Could anyone advice on how to do is or is there any other way? 

Labels:
351 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Mar 27 2024 04:37 AM

‎Mar 27 2024 04:37 AM

Re: IOCs Watchlist

What type of Watchlist? e.g. will it be used to enrich the found data, so if the watchlist has 1.1.1.1 with a description column of "my web server" then the KQL will display a match

The first example here helps with that https://learn.microsoft.com/en-us/azure/sentinel/watchlists#watchlists-in-queries-for-searches-and-d...

The challenge (could) be normalisation, in which case you will need to use the ASIM parsers where available. The issue with normalization is that many tables dont name things the same, so in one its IPAdress in another SrcIPaddr etc... If you have a few tables, then using a "union" in KQL maybe an option but for many tables it can be problematic.
0 Likes
Reply