Skip to content

Use correct time columns to check Expiration and to summarize in TI Map Detections.#3549

Closed
ep3p wants to merge 5 commits into
Azure:masterfrom
ep3p:ep3p-TIMapUpdates
Closed

Use correct time columns to check Expiration and to summarize in TI Map Detections.#3549
ep3p wants to merge 5 commits into
Azure:masterfrom
ep3p:ep3p-TIMapUpdates

Conversation

@ep3p
Copy link
Copy Markdown
Contributor

@ep3p ep3p commented Nov 25, 2021
edited
Loading

This Pull Request comes from a closed unmerged pull request that got messy (#3477)

Fixes #

Saving some unnecessary conditions.

Expiration Date is already getting compared at

ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()

2nd summarize was getting its TimeGenerated from the event table, not from the Indicator Table.

Proposed Changes

  • Remove conditions about the time of the indicator, as they are already fulfilled.
  • Use correct column in 2nd summarize.
  • Use project-rename for Event columns that conflict with Indicator columns.

@ep3p
Use project-rename instead of extend
2bf6879 
Use project-rename instead of extend for columns that conflict with Indicator columns.
@shainw
Copy link
Copy Markdown
Contributor

shainw commented Nov 29, 2021

As I said in other comments, we are using this PR with multiple changes across all TI - #3571. Thanks much.

@shainw shainw closed this Nov 29, 2021
@shainw shainw self-assigned this Nov 29, 2021
@ep3p ep3p deleted the ep3p-TIMapUpdates branch November 30, 2021 07:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Amitbergman Amitbergman Awaiting requested review from Amitbergman

@aprakash13 aprakash13 Awaiting requested review from aprakash13

@ashwin-patil ashwin-patil Awaiting requested review from ashwin-patil

@dicolanl dicolanl Awaiting requested review from dicolanl

@ianhelle ianhelle Awaiting requested review from ianhelle

@juliango2100 juliango2100 Awaiting requested review from juliango2100

@laithhisham laithhisham Awaiting requested review from laithhisham

@liatlishams liatlishams Awaiting requested review from liatlishams

@liemilyg liemilyg Awaiting requested review from liemilyg

@lior-tamir lior-tamir Awaiting requested review from lior-tamir

@mgladi mgladi Awaiting requested review from mgladi

@nazang nazang Awaiting requested review from nazang

@NoamLandress NoamLandress Awaiting requested review from NoamLandress

@oshezaf oshezaf Awaiting requested review from oshezaf

@oshvartz oshvartz Awaiting requested review from oshvartz

@petebryan petebryan Awaiting requested review from petebryan

@preetikr preetikr Awaiting requested review from preetikr

@sagamzu sagamzu Awaiting requested review from sagamzu

@sarah-yo sarah-yo Awaiting requested review from sarah-yo

@shainw shainw Awaiting requested review from shainw

@shschwar shschwar Awaiting requested review from shschwar

@sreedharande sreedharande Awaiting requested review from sreedharande

@timbMSFT timbMSFT Awaiting requested review from timbMSFT

@Yaniv-Shasha Yaniv-Shasha Awaiting requested review from Yaniv-Shasha

@YaronFruchtmann YaronFruchtmann Awaiting requested review from YaronFruchtmann

@YuvalNaor YuvalNaor Awaiting requested review from YuvalNaor

Assignees

@shainw shainw

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ep3p @shainw