From d6273f9fada5f7a4d7157b8daf50e05eb74902e0 Mon Sep 17 00:00:00 2001 From: Pete Bryan Date: Mon, 6 Mar 2023 17:29:05 -0800 Subject: [PATCH] Updated EQ to correctly match IP --- Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml b/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml index b8a296271a..c64f0aa929 100644 --- a/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml +++ b/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml @@ -18,8 +18,9 @@ Tactics: - Collection query: | let GetSysLogEventsWithIP = (v_IP_Address:string){ - _Im_NetworkSession(srcipaddr_has_any_prefix=dynamic([v_IP_Address])) - | where NetworkDirection == "Outbound" + _Im_NetworkSession + | where has_ipv4(SrcIpAddr, v_IP_Address) or ipv6_is_match(SrcIpAddr, v_IP_Address) + | where NetworkDirection =~ "Outbound" | extend info = pack('HostIP', SrcIpAddr, 'SrcPort', SrcPortNumber, 'DstIP', DstIpAddr,'DstPort', DstPortNumber, 'DstFQDN', DstFQDN, 'User', SrcUsername, 'Process', Process) | extend Dvc = tolower(Dvc) | summarize min(TimeGenerated), max(TimeGenerated), count(), Host_Aux_info = make_set(info, maxSize=100) by Dvc