IOC Check In Multiple Sources
Query
let IOC = dynamic([""]);
union CommonSecurityLog,AzureDiagnostics,SigninLogs,AWSCloudTrail
|where TimeGenerated > ago(7d)
|where clientIP_s in (IOC) or clientIp_s in (IOC) or IPAddress in (IOC) or SourceIpAddress in (IOC)Explanation
This query is designed to search through multiple security-related logs to identify any entries that involve specific IP addresses of interest, known as Indicators of Compromise (IOCs). Here's a breakdown of what it does:
-
Define IOCs: It starts by defining a list of IP addresses (IOCs) that are of interest. In this case, the list is currently empty (
dynamic([""])), but it would typically contain IP addresses that are suspected of being involved in malicious activities. -
Combine Logs: It combines data from several log sources:
CommonSecurityLog,AzureDiagnostics,SigninLogs, andAWSCloudTrail. This means it will look for the specified IP addresses across all these different types of logs. -
Filter by Time: It filters the logs to only include entries that were generated in the last 7 days (
TimeGenerated > ago(7d)). -
Filter by IP Address: It further filters these logs to only include entries where the IP address matches one of the IOCs. It checks several fields that might contain IP addresses (
clientIP_s,clientIp_s,IPAddress,SourceIpAddress).
In summary, this query is used to find recent log entries from various sources that involve specific IP addresses of interest, helping to identify potential security threats.
Details

User Submission
Released: November 10, 2024
Tables
Keywords
Operators