creating IPRegex variable to re-use
This commit is contained in:
Родитель
1d7db2fe25
Коммит
34a188a647
|
@ -48,12 +48,13 @@ query: |
|
||||||
"notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
|
"notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
|
||||||
"sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
|
"sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
|
||||||
let IPList = dynamic(["51.91.200.147"]);
|
let IPList = dynamic(["51.91.200.147"]);
|
||||||
|
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
|
||||||
(union isfuzzy=true
|
(union isfuzzy=true
|
||||||
(CommonSecurityLog
|
(CommonSecurityLog
|
||||||
| where TimeGenerated >= ago(timeframe)
|
| where TimeGenerated >= ago(timeframe)
|
||||||
| parse Message with * '(' DNSName ')' *
|
| parse Message with * '(' DNSName ')' *
|
||||||
| extend MessageIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
|
| extend MessageIP = extract(IPRegex, 0, Message)
|
||||||
| extend RequestURLIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
|
| extend RequestURLIP = extract(IPRegex, 0, Message)
|
||||||
| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
|
| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
|
||||||
or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
|
or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
|
||||||
or (isnotempty(Message) and MessageIP in (IPList))
|
or (isnotempty(Message) and MessageIP in (IPList))
|
||||||
|
|
Загрузка…
Ссылка в новой задаче