Query Details

Firewall Traffic to Threat Intelligence Flagged IP

03 CSL Threat Intelligence IP Match

Query

let TI_IPs =
    ThreatIntelligenceIndicator
    | where TimeGenerated > ago(30d)
    | where Active == true
    | where isnotempty(NetworkIP)
    | summarize ThreatTypes = make_set(ThreatType), ConfidenceScore = max(ConfidenceScore)
        by TI_IP = NetworkIP;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP) or isnotempty(SourceIP)
| extend CheckIP = iff(ipv4_is_private(DestinationIP) == false, DestinationIP, SourceIP)
| join kind=inner TI_IPs on $left.CheckIP == $right.TI_IP
| summarize
    HitCount         = count(),
    InternalIPs      = make_set(SourceIP, 20),
    DeviceVendors    = make_set(DeviceVendor),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated),
    ThreatTypes      = make_set(ThreatTypes),
    ConfidenceScore  = max(ConfidenceScore)
  by TI_IP
| order by HitCount desc

Explanation

This query is designed to detect potentially malicious activity by identifying allowed firewall traffic to IP addresses flagged by threat intelligence sources. Here's a simplified breakdown:

  1. Purpose: The query checks for allowed connections from firewalls (Fortinet, Palo Alto, Zscaler) to IP addresses that are flagged as threats by threat intelligence data. Such connections could indicate a compromise, command-and-control (C2) communication, or an active exploitation attempt.

  2. Data Sources: It uses two main data sources:

    • CommonSecurityEvents: Logs from firewalls.
    • ThreatIntelligence: Indicators of threat intelligence, specifically focusing on IP addresses.
  3. Process:

    • Threat Intelligence IPs: It first collects active threat intelligence indicators from the past 30 days, focusing on IP addresses.
    • Firewall Logs: It then examines firewall logs from the past day, looking for allowed traffic (not denied or blocked) to these IPs.
    • IP Matching: It matches the destination or source IPs from the firewall logs with the threat intelligence IPs.
  4. Output:

    • It summarizes the findings by counting how many times each threat intelligence IP was contacted, listing internal IPs involved, the vendors of the devices that allowed the traffic, and the first and last time the IP was seen.
    • The results are ordered by the number of hits (contacts) in descending order.
  5. Alerting:

    • If any matches are found, an alert is generated with details about the threat intelligence IP, the confidence score of the threat, and the number of times it was contacted.
    • The alert is configured to create an incident, grouping similar alerts by IP address to avoid duplication.
  6. Severity and Techniques:

    • The severity of the alert is marked as high.
    • It maps to MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1078 (Valid Accounts), indicating potential tactics used by attackers.

In summary, this query helps security teams quickly identify and respond to suspicious network activities involving known threat IPs, potentially preventing or mitigating security incidents.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

ThreatIntelligenceIndicatorCommonSecurityLog

Keywords

FirewallTrafficThreatIntelligenceIPCompromiseCommunicationExploitationAttemptCommonSecurityEventsCommonSecurityLogThreatIntelligenceThreatIntelligenceIndicatorDeviceVendorDeviceActionDestinationIPSourceIPCheckIPHitCountInternalIPsDeviceVendorsFirstSeenLastSeenThreatTypesConfidenceScore

Operators

letwhereagoisnotemptysummarizemake_setmaxbyin!inextendiffipv4_is_privatejoinon$left$rightcountminorder bydesc

Severity

High

Tactics

CommandAndControlInitialAccess

MITRE Techniques

Frequency: 15m

Period: 1d

Actions

GitHub