creating IPRegex variable to re-use

2020-07-24 11:05:19 -07:00 · 2020-07-24 11:05:19 -07:00 · 34a188a647
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@ -48,12 +48,13 @@ query: |
  "notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
  "sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
  let IPList = dynamic(["51.91.200.147"]);
+  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  (union isfuzzy=true
  (CommonSecurityLog 
  | where TimeGenerated >= ago(timeframe)
  | parse Message with * '(' DNSName ')' * 
-  | extend MessageIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
-  | extend RequestURLIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
+  | extend MessageIP = extract(IPRegex, 0, Message)
+  | extend RequestURLIP = extract(IPRegex, 0, Message)
  | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) 
  or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) 
  or (isnotempty(Message) and MessageIP in (IPList))