KQL Search

Query Details

Visualization Threat Intelligence Indicator Triggered

Query

# Visualize the Threat Intelligence Indicators last 30 days

## Query Information

#### Description
This query visualizes the IOCs that have triggerd in the last 30 days. That can for example be Domains, IPs or URLs. THe resuls are rendered in a Piechart. 

## Sentinel
```
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| extend IOC = iff(isnotempty(DomainName), DomainName, iff(isnotempty(NetworkIP), NetworkIP, iff(isnotempty(Url),Url, "No IOC defined")))
| summarize count() by IOC
| render piechart with (title="Threat Intelligence Indicators by IOC last month")
```

Explanation

The query visualizes the threat intelligence indicators that have been triggered in the last 30 days. These indicators can be domains, IPs, or URLs. The results are displayed in a pie chart.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

ThreatIntelligenceIndicator

Keywords

ThreatIntelligenceIndicator,TimeGenerated,DomainName,NetworkIP,Url,IOC

Operators

whereagoextendiffisnotemptysummarizebyrender

KQL Search

Visualization Threat Intelligence Indicator Triggered

Query

Explanation

Details

Actions