Skip to content

Commit 497cd71

Browse files
v-atulyadavv-atulyadav
authored
Merge pull request #12428 from Azure/v-sabiraj-updatingrule
Update IPEntity_CustomSecurityLog.yaml
2 parents 429284b + 59920de commit 497cd71

File tree

3 files changed

+70
-70
lines changed

3 files changed

+70
-70
lines changed

Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ query: |
4545
CommonSecurityLog
4646
| where TimeGenerated >= ago(dt_lookBack)
4747
| extend MessageIP = extract(IPRegex, 0, Message)
48-
| extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
48+
| extend CS_ipEntity = iff((not(ipv4_is_private(SourceIP)) and isnotempty(SourceIP)), SourceIP, DestinationIP)
4949
| extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
5050
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
5151
)
@@ -65,5 +65,5 @@ entityMappings:
6565
fieldMappings:
6666
- identifier: Address
6767
columnName: SourceIP
68-
version: 1.2.3
68+
version: 1.2.4
6969
kind: Scheduled

Solutions/Threat Intelligence/Package/3.1.2.zip

54.7 KB
Binary file not shown.

0 commit comments

Comments
 (0)