creating IPRegex variable to re-use
This commit is contained in:
Родитель
1d7db2fe25
Коммит
34a188a647
|
@ -48,12 +48,13 @@ query: |
|
|||
"notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
|
||||
"sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
|
||||
let IPList = dynamic(["51.91.200.147"]);
|
||||
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
|
||||
(union isfuzzy=true
|
||||
(CommonSecurityLog
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| parse Message with * '(' DNSName ')' *
|
||||
| extend MessageIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
|
||||
| extend RequestURLIP = extract('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}', 0, Message)
|
||||
| extend MessageIP = extract(IPRegex, 0, Message)
|
||||
| extend RequestURLIP = extract(IPRegex, 0, Message)
|
||||
| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
|
||||
or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
|
||||
or (isnotempty(Message) and MessageIP in (IPList))
|
||||
|
|
Загрузка…
Ссылка в новой задаче