Update WebShellActivity.yaml

Excluded local addresses using ipv4_is_private operator
2022-04-26 12:39:42 +05:30 · 2022-04-26 12:39:42 +05:30 · a4576d2a26
--- a/Queries/W3CIISLog/WebShellActivity.yaml
+++ b/Queries/W3CIISLog/WebShellActivity.yaml
@ -36,7 +36,8 @@ query: |
  | where csUriStem !in~ (ignore_uristems) // Remove noisy uri stems in the final results by editing the ignore_uristems variable
  | extend suffix = strcat(".", split(split(csUriStem, "/")[-1], ".")[-1])
  | extend is_script = iff(suffix in (script_extensions), 1, 0)
-  | where not(ipv4_is_private(cIP)) and cIP != "127.0.0.1"
+  //Exclude local addresses using ipv4_is_private operator
+  |where ipv4_is_private(cIP) == false and  cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
  | extend status_xx = strcat(substring(tostring(scStatus), 0, 1), 'XX')
  | serialize cIP, csUserAgent, TimeGenerated
  | extend SessionStarted = row_window_session(TimeGenerated, 30s, 3s, (cIP != prev(cIP)) and (csUserAgent != prev(csUserAgent))));
@ -56,4 +57,4 @@ query: |
  | sort by dyn_to_non_dyn_ratio desc, num_dynamic_scripts desc
  | extend summary = pack('IPCustomEntity', cIP, 'user_agent', csUserAgent, 'num_dynamic_scripts', num_dynamic_scripts, 'set_dynamic_scripts', set_dynamic_scripts, 'num_non_dyn_scripts', num_non_dyn_scripts, 'set_non_dynamic_scripts', set_non_dynamic_scripts, 'ratio', dyn_to_non_dyn_ratio, 'Session_StartTime', SessionStarted)
  | summarize summaries=make_list(summary), num_of_sessions_on_day = count() by cIP, csUserAgent
-  | sort by num_of_sessions_on_day asc
+  | sort by num_of_sessions_on_day asc