Firewall Traffic to Threat Intelligence Flagged IP
03 CSL Threat Intelligence IP Match
Query
let TI_IPs =
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where Active == true
| where isnotempty(NetworkIP)
| summarize ThreatTypes = make_set(ThreatType), ConfidenceScore = max(ConfidenceScore)
by TI_IP = NetworkIP;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP) or isnotempty(SourceIP)
| extend CheckIP = iff(ipv4_is_private(DestinationIP) == false, DestinationIP, SourceIP)
| join kind=inner TI_IPs on $left.CheckIP == $right.TI_IP
| summarize
HitCount = count(),
InternalIPs = make_set(SourceIP, 20),
DeviceVendors = make_set(DeviceVendor),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
ThreatTypes = make_set(ThreatTypes),
ConfidenceScore = max(ConfidenceScore)
by TI_IP
| order by HitCount descExplanation
This query is designed to detect potentially malicious activity by identifying allowed firewall traffic to IP addresses flagged by threat intelligence sources. Here's a simplified breakdown:
-
Purpose: The query checks for allowed connections from firewalls (Fortinet, Palo Alto, Zscaler) to IP addresses that are flagged as threats by threat intelligence data. Such connections could indicate a compromise, command-and-control (C2) communication, or an active exploitation attempt.
-
Data Sources: It uses two main data sources:
- CommonSecurityEvents: Logs from firewalls.
- ThreatIntelligence: Indicators of threat intelligence, specifically focusing on IP addresses.
-
Process:
- Threat Intelligence IPs: It first collects active threat intelligence indicators from the past 30 days, focusing on IP addresses.
- Firewall Logs: It then examines firewall logs from the past day, looking for allowed traffic (not denied or blocked) to these IPs.
- IP Matching: It matches the destination or source IPs from the firewall logs with the threat intelligence IPs.
-
Output:
- It summarizes the findings by counting how many times each threat intelligence IP was contacted, listing internal IPs involved, the vendors of the devices that allowed the traffic, and the first and last time the IP was seen.
- The results are ordered by the number of hits (contacts) in descending order.
-
Alerting:
- If any matches are found, an alert is generated with details about the threat intelligence IP, the confidence score of the threat, and the number of times it was contacted.
- The alert is configured to create an incident, grouping similar alerts by IP address to avoid duplication.
-
Severity and Techniques:
- The severity of the alert is marked as high.
- It maps to MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1078 (Valid Accounts), indicating potential tactics used by attackers.
In summary, this query helps security teams quickly identify and respond to suspicious network activities involving known threat IPs, potentially preventing or mitigating security incidents.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1d