Don't filter on arbitrary id
This commit is contained in:
Родитель
d6f63779e8
Коммит
1d7fed2a42
|
@ -30,10 +30,9 @@ query: |
|
||||||
| summarize make_list(tld);
|
| summarize make_list(tld);
|
||||||
ThreatIntelligenceIndicator
|
ThreatIntelligenceIndicator
|
||||||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||||
| where isnotempty(DomainName)
|
|
||||||
| where Active == true
|
| where Active == true
|
||||||
// Picking up only IOC's that contain the entities we want
|
// Picking up only IOC's that contain the entities we want
|
||||||
| where ExternalIndicatorId startswith 'domain'
|
| where isnotempty(DomainName)
|
||||||
| join (
|
| join (
|
||||||
DnsEvents
|
DnsEvents
|
||||||
| where TimeGenerated > ago(dt_lookBack)
|
| where TimeGenerated > ago(dt_lookBack)
|
||||||
|
|
Загрузка…
Ссылка в новой задаче