Update DomainEntity_PaloAlto.yaml

Update the CommonSecurityLog lookup based on ingestion time.
2019-09-27 11:17:57 -07:00 · 2019-09-27 11:17:57 -07:00 · 55e35c6293
--- a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml
+++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml
@ -36,7 +36,8 @@ query: |
        | where isnotempty(DomainName)
        | join (
            CommonSecurityLog
-            | where TimeGenerated > ago(dt_lookBack)
+            | extend IngestionTime = ingestion_time()
+            | where IngestionTime > ago(dt_lookBack)
            | where DeviceVendor =~ 'Palo Alto Networks'
            | where DeviceEventClassID =~ 'url'
            //Uncomment the line below to only alert on allowed connections