-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot use join KQL for Analytics Rules #9484
Comments
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Hi @jeffrywu28, thanks for flagging this issue, we will get back to you by 30 Nov 2023. |
Hi @jeffrywu28, just want to know, have you declaired the If we declare the FYI. we have defined the Could you please check with |
Hi @jeffrywu28, we are waiting for your response on above comment. Thanks! |
Hi @jeffrywu28, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 08-12-2023 date, we will be closing this issue. |
Hi @jeffrywu28, since we have not received a response in the last 5 days, we are closing your issue- #9484 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation. |
Describe the bug
why i cannot use detection rules that correlated with ThreatIntelIndicator join table ?
To Reproduce
Steps to reproduce the behavior:
_Im_NetworkSession
| where ipv4_is_private(SrcIpAddr) == False
| where SrcIpAddr !in ("127.0.0.1", "::1")
| summarize
AttemptedPortsCount = dcount(DstPortNumber),
AttemptedPorts = make_set(DstPortNumber),
ReportedBy = make_set(strcat(EventVendor, "/", EventProduct)),
LastTimeGenerated = max(TimeGenerated)
by SrcIpAddr
| where AttemptedPortsCount > PortScanThreshold
| join kind=inner (
ThreatIntelligenceIndicator
| summarize ThreatTypes = make_set(ThreatType) by NetworkSourceIP // Aggregate ThreatTypes for each NetworkSourceIP
)
on $left.SrcIpAddr == $right.NetworkSourceIP
| project
SrcIpAddr,
LastTimeGenerated,
AttemptedPortsCount,
AttemptedPorts,
ReportedBy,
ThreatTypes
Expected behavior
It's running and showing the test result clearly
Screenshots
The text was updated successfully, but these errors were encountered: