KQL Search

Query Details

03 CSL Threat Intelligence IP Match

Query

id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
name: "Firewall Traffic to Threat Intelligence Flagged IP"
version: 1.0.0
kind: Scheduled
description: |
  Correlates allowed firewall traffic (Fortinet, Palo Alto, Zscaler) against active Threat
  Intelligence indicators from the ThreatIntelligenceIndicator table. Any allowed connection
  to a TI-flagged IP is a high-confidence indicator of compromise, C2 communication, or
  active exploitation attempt.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelligenceIndicator
queryFrequency: 15m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - InitialAccess
relevantTechniques:
  - T1071
  - T1078
query: |
  let TI_IPs =
      ThreatIntelligenceIndicator
      | where TimeGenerated > ago(30d)
      | where Active == true
      | where isnotempty(NetworkIP)
      | summarize ThreatTypes = make_set(ThreatType), ConfidenceScore = max(ConfidenceScore)
          by TI_IP = NetworkIP;
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
  | where isnotempty(DestinationIP) or isnotempty(SourceIP)
  | extend CheckIP = iff(ipv4_is_private(DestinationIP) == false, DestinationIP, SourceIP)
  | join kind=inner TI_IPs on $left.CheckIP == $right.TI_IP
  | summarize
      HitCount         = count(),
      InternalIPs      = make_set(SourceIP, 20),
      DeviceVendors    = make_set(DeviceVendor),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated),
      ThreatTypes      = make_set(ThreatTypes),
      ConfidenceScore  = max(ConfidenceScore)
    by TI_IP
  | order by HitCount desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: TI_IP
customDetails:
  HitCount: HitCount
  ConfidenceScore: ConfidenceScore
alertDetailsOverride:
  alertDisplayNameFormat: "TI Match - Firewall Allowed Traffic to {{TI_IP}}"
  alertDescriptionFormat: "TI-flagged IP {{TI_IP}} (confidence: {{ConfidenceScore}}) was seen in {{HitCount}} allowed firewall events. Possible C2 communication or active IOC."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: Selected
    groupByEntities:
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially malicious activity by identifying allowed firewall traffic to IP addresses flagged by threat intelligence sources. Here's a simplified breakdown:

  1. Purpose: The query checks for allowed connections from firewalls (Fortinet, Palo Alto, Zscaler) to IP addresses that are flagged as threats by threat intelligence data. Such connections could indicate a compromise, command-and-control (C2) communication, or an active exploitation attempt.

  2. Data Sources: It uses two main data sources:

    • CommonSecurityEvents: Logs from firewalls.
    • ThreatIntelligence: Indicators of threat intelligence, specifically focusing on IP addresses.

  3. Process:

    • Threat Intelligence IPs: It first collects active threat intelligence indicators from the past 30 days, focusing on IP addresses.
    • Firewall Logs: It then examines firewall logs from the past day, looking for allowed traffic (not denied or blocked) to these IPs.
    • IP Matching: It matches the destination or source IPs from the firewall logs with the threat intelligence IPs.

  4. Output:

    • It summarizes the findings by counting how many times each threat intelligence IP was contacted, listing internal IPs involved, the vendors of the devices that allowed the traffic, and the first and last time the IP was seen.
    • The results are ordered by the number of hits (contacts) in descending order.

  5. Alerting:

    • If any matches are found, an alert is generated with details about the threat intelligence IP, the confidence score of the threat, and the number of times it was contacted.
    • The alert is configured to create an incident, grouping similar alerts by IP address to avoid duplication.

  6. Severity and Techniques:

    • The severity of the alert is marked as high.
    • It maps to MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1078 (Valid Accounts), indicating potential tactics used by attackers.

In summary, this query helps security teams quickly identify and respond to suspicious network activities involving known threat IPs, potentially preventing or mitigating security incidents.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

ThreatIntelligenceIndicatorCommonSecurityLog

Keywords

FirewallTrafficThreatIntelligenceIPCompromiseCommunicationExploitationAttemptCommonSecurityEventsCommonSecurityLogThreatIntelligenceThreatIntelligenceIndicatorDeviceVendorDeviceActionDestinationIPSourceIPCheckIPHitCountInternalIPsDeviceVendorsFirstSeenLastSeenThreatTypesConfidenceScore

Operators

letwhereagoisnotemptysummarizemake_setmaxbyin!inextendiffipv4_is_privatejoinon$left$rightcountminorder bydesc

Actions