Don't filter on arbitrary id

2020-08-25 10:56:09 +01:00 · 2020-08-25 10:56:09 +01:00 · 1d7fed2a42
--- a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml
+++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml
@ -30,10 +30,9 @@ query: |
    | summarize make_list(tld);
    ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
-    | where isnotempty(DomainName)
    | where Active == true
    // Picking up only IOC's that contain the entities we want
-    | where ExternalIndicatorId startswith 'domain'
+    | where isnotempty(DomainName)
    | join (
         DnsEvents
        | where TimeGenerated > ago(dt_lookBack)