Update AVSpringShell.yaml
Updating the in condition to in~
This commit is contained in:
Родитель
8550ea2a86
Коммит
5282a78493
|
@ -29,7 +29,7 @@ query: |
|
|||
| where ProviderName == "MDATP"
|
||||
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
|
||||
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
|
||||
| where ThreatName in (SpringShell_threats) or ThreatFamilyName in (SpringShell_threats)
|
||||
| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)
|
||||
| extend CompromisedEntity = tolower(CompromisedEntity)
|
||||
) on $left.DeviceName == $right.CompromisedEntity
|
||||
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
|
||||
|
|
Загрузка…
Ссылка в новой задаче