mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
10 lines
433 B
Plaintext
10 lines
433 B
Plaintext
let IP_Indicators = ThreatIntelIndicators
|
|
| extend IndicatorType = tostring(split(ObservableKey, ":", 0)[0])
|
|
| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
|
|
| where IsActive == true;
|
|
IP_Indicators
|
|
| join kind=innerunique (
|
|
CommonSecurityLog | where TimeGenerated >= ago(1h)
|
|
) on $left.ObservableValue == $right.DestinationIP
|
|
| project TimeGenerated, SourceIP, DestinationIP, Id, Confidence, DeviceVendor
|