In Data Lake it is still not possible to make queries with CURL, so I would like an option like this:
IOC_LIST(IOC_Type, Indicator, note) AS ( VALUES --Query Base Construction ('ip','8.8.8.8','Test IP'), ('sha256','1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c','Test Hash'), ('file_path_name','C:\windows\syswow64\netsetupsvc.dll','Test File Path'), ('domain','google.com','Test Domain'), ...
Therefore, I would like to look for the occurrence of data from the table above in DataLake. Types:
- Check for matching domain or URL info seen in the specified lookback period - Check for matching IP info seen in the specified lookback period - Check for matching port info seen in the specified lookback period - Check for matching sha256 info seen in the specified lookback period - Check for matching process activity info seen in the specified lookback period - Check for matching file/directory on the CURRENT SATE of the device
