Update Behavior - InboundConnectionFromMaliciousIP.md

Bert-JanP / Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

https://kqlquery.com

BSD 3-Clause "New" or "Revised" License

1.14k stars 213 forks source link

Update Behavior - InboundConnectionFromMaliciousIP.md #15

Closed Lodewyk-Git closed 11 months ago

Lodewyk-Git commented 11 months ago

Default value for arrays in Sentinel is dynamics, in MDE threat hunting it's either converted to json or is json by default.

Lodewyk-Git commented 11 months ago

*dynamic

Bert-JanP commented 11 months ago

Hi,

This option trows an error;

dynamic_to_json(): argument #1 must be a dynamic

This is because AdditionalFields is a string and not a dynamic field. The query below could parse it to JSON.

DeviceNetworkEvents
| extend x = todynamic(AdditionalFields)
| extend y = dynamic_to_json(x)

Lodewyk-Git commented 11 months ago

Strange, for me it gives the following error in Sentinel when ran, which is why I added the conversion. @Bert-JanP error:

`extractjson(): argument #2 expected to be a string expression

Request id: `

Lodewyk-Git commented 11 months ago

So like yea you're right it's a string by default, but you change it to a dynamic type in the query.

Bert-JanP commented 11 months ago

I will check again, and will come back at this next week. Have a good weekend!

Bert-JanP commented 11 months ago

Did some further investigation and came to the same conclusion. In this case MDE differs from he Sentinel results.