BugFix- additional field covereage containing IP

2020-07-23 16:31:25 -07:00 · 2020-07-23 16:31:25 -07:00 · 5177a432a7
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@ -55,7 +55,8 @@ query: |
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or DNSName in~ (DomainNames)
  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
-  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName),
+ | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), Account = SourceUserID, Host = DeviceName
+  ),
  (DnsEvents 
  | where TimeGenerated >= ago(timeframe) 
  | extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer