Correlation: Firewall Traffic + Active Security Alert - Shared IOC IP
14 CSL Firewall Security Alert IOC Correlation
Query
let AlertIPs =
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertSeverity in ("High", "Medium")
| mv-expand todynamic(Entities)
| where Entities.Type == "ip"
| extend AlertIP = tostring(Entities.Address)
| where isnotempty(AlertIP)
| summarize
AlertCount = count(),
AlertNames = make_set(AlertName, 10),
Severities = make_set(AlertSeverity, 3),
Products = make_set(ProductName, 5)
by AlertIP;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| extend CheckIP = iff(ipv4_is_private(DestinationIP) == false, DestinationIP, SourceIP)
| summarize
FW_HitCount = count(),
FW_Actions = make_set(DeviceAction, 5),
FW_InternalIPs = make_set(SourceIP, 10),
FW_Vendors = make_set(DeviceVendor),
FW_FirstSeen = min(TimeGenerated),
FW_LastSeen = max(TimeGenerated)
by CheckIP
| join kind=inner AlertIPs on $left.CheckIP == $right.AlertIP
| project
IOC_IP = CheckIP,
AlertCount,
AlertNames,
Severities,
Products,
FW_HitCount,
FW_Actions,
FW_InternalIPs,
FW_Vendors,
FW_FirstSeen,
FW_LastSeen
| order by AlertCount descExplanation
This query is designed to identify IP addresses that are involved in both active security alerts and recent firewall traffic, indicating potential ongoing threats. Here's a simple breakdown:
-
Purpose: The query looks for IP addresses that have appeared in high or medium severity security alerts within the last 7 days and have also been seen in allowed firewall traffic in the last 24 hours. This helps to confirm if a flagged IP is still actively communicating through the network, which could indicate a security threat that needs immediate attention.
-
Data Sources: It uses data from security alerts and firewall logs from vendors like Fortinet, Palo Alto Networks, and Zscaler.
-
Process:
- It first collects IP addresses from security alerts that are of high or medium severity.
- Then, it checks firewall logs to see if these IPs have been involved in any traffic in the last day.
- It correlates these two data sets to find IPs that appear in both, suggesting they are actively communicating through the network.
-
Output: The query outputs a list of these IPs along with details such as the number of alerts they are involved in, the names of those alerts, the firewall actions taken, and the vendors involved.
-
Severity and Response: The severity of this correlation is marked as high, meaning it should be prioritized for response. If such IPs are found, an incident is created for further investigation.
-
MITRE ATT&CK Techniques: The query is associated with techniques like Valid Accounts (T1078) and Application Layer Protocol (T1071), which are common tactics used by attackers.
Overall, this query helps security teams quickly identify and respond to potential threats by correlating security alerts with real-time network activity.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 7d