Query Details

Correlation: Firewall Traffic + Active Security Alert - Shared IOC IP

14 CSL Firewall Security Alert IOC Correlation

Query

let AlertIPs =
    SecurityAlert
    | where TimeGenerated > ago(7d)
    | where AlertSeverity in ("High", "Medium")
    | mv-expand todynamic(Entities)
    | where Entities.Type == "ip"
    | extend AlertIP = tostring(Entities.Address)
    | where isnotempty(AlertIP)
    | summarize
        AlertCount    = count(),
        AlertNames    = make_set(AlertName, 10),
        Severities    = make_set(AlertSeverity, 3),
        Products      = make_set(ProductName, 5)
      by AlertIP;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| extend CheckIP = iff(ipv4_is_private(DestinationIP) == false, DestinationIP, SourceIP)
| summarize
    FW_HitCount     = count(),
    FW_Actions      = make_set(DeviceAction, 5),
    FW_InternalIPs  = make_set(SourceIP, 10),
    FW_Vendors      = make_set(DeviceVendor),
    FW_FirstSeen    = min(TimeGenerated),
    FW_LastSeen     = max(TimeGenerated)
  by CheckIP
| join kind=inner AlertIPs on $left.CheckIP == $right.AlertIP
| project
    IOC_IP        = CheckIP,
    AlertCount,
    AlertNames,
    Severities,
    Products,
    FW_HitCount,
    FW_Actions,
    FW_InternalIPs,
    FW_Vendors,
    FW_FirstSeen,
    FW_LastSeen
| order by AlertCount desc

Explanation

This query is designed to identify IP addresses that are involved in both active security alerts and recent firewall traffic, indicating potential ongoing threats. Here's a simple breakdown:

  1. Purpose: The query looks for IP addresses that have appeared in high or medium severity security alerts within the last 7 days and have also been seen in allowed firewall traffic in the last 24 hours. This helps to confirm if a flagged IP is still actively communicating through the network, which could indicate a security threat that needs immediate attention.

  2. Data Sources: It uses data from security alerts and firewall logs from vendors like Fortinet, Palo Alto Networks, and Zscaler.

  3. Process:

    • It first collects IP addresses from security alerts that are of high or medium severity.
    • Then, it checks firewall logs to see if these IPs have been involved in any traffic in the last day.
    • It correlates these two data sets to find IPs that appear in both, suggesting they are actively communicating through the network.
  4. Output: The query outputs a list of these IPs along with details such as the number of alerts they are involved in, the names of those alerts, the firewall actions taken, and the vendors involved.

  5. Severity and Response: The severity of this correlation is marked as high, meaning it should be prioritized for response. If such IPs are found, an incident is created for further investigation.

  6. MITRE ATT&CK Techniques: The query is associated with techniques like Valid Accounts (T1078) and Application Layer Protocol (T1071), which are common tactics used by attackers.

Overall, this query helps security teams quickly identify and respond to potential threats by correlating security alerts with real-time network activity.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

SecurityAlertCommonSecurityLog

Keywords

SecurityAlertCommonSecurityLogDeviceVendorSourceIPDestinationIPAlertNameAlertSeverityProductNameTimeGeneratedAddressIOC_IPAlertCountAlertNamesSeveritiesProductsFW_HitCountFW_ActionsFW_InternalIPsFW_VendorsFW_FirstSeenFW_LastSeen

Operators

letwhereagoinmv-expandtodynamicextendtostringisnotemptysummarizecountmake_setbyoriffipv4_is_privatefalsejoinkindonprojectorder bydesc

Severity

High

Tactics

InitialAccessCommandAndControl

MITRE Techniques

Frequency: 1h

Period: 7d

Actions

GitHub