Don't filter on arbitrary id
This commit is contained in:
Родитель
d6f63779e8
Коммит
1d7fed2a42
|
@ -30,10 +30,9 @@ query: |
|
|||
| summarize make_list(tld);
|
||||
ThreatIntelligenceIndicator
|
||||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where isnotempty(DomainName)
|
||||
| where Active == true
|
||||
// Picking up only IOC's that contain the entities we want
|
||||
| where ExternalIndicatorId startswith 'domain'
|
||||
| where isnotempty(DomainName)
|
||||
| join (
|
||||
DnsEvents
|
||||
| where TimeGenerated > ago(dt_lookBack)
|
||||
|
|
Загрузка…
Ссылка в новой задаче