Query Details
TI By Type
Query
ThreatIntelligenceIndicator
| where ExpirationDateTime > now()
| summarize arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| extend IndicatorType =
iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), 'IP',
iff(isnotempty(Url), 'URL',
iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), 'Email',
iff(isnotempty(FileHashValue), 'File',
iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), 'Domain',
'Other')))))
| summarize IndicatorCount = count() by IndicatorType
Explanation
This query is summarizing threat intelligence indicators by their type. It filters out expired indicators and only includes active ones. It then determines the type of each indicator based on its properties (such as IP address, URL, email, file hash, domain), and counts the number of indicators for each type.
Details
Rod Trent
Released: June 15, 2023
Tables
ThreatIntelligenceIndicator
Keywords
ThreatIntelligenceIndicator,ExpirationDateTime,TimeGenerated,IndicatorId,Active,IndicatorType,EmailSourceIpAddress,NetworkDestinationIP,NetworkIP,NetworkSourceIP,NetworkCidrBlock,Url,EmailRecipient,EmailSenderAddress,FileHashValue,DomainName,EmailSourceDomain,Other,IndicatorCount
Operators
wheresummarizearg_maxbyextendiifisnotemptyorandiffcount