Correlation: Firewall Traffic Matching Threat Intelligence Domain / URL
15 CSL Threat Intelligence Domain Match
Query
let TI_Domains =
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where Active == true
| where isnotempty(DomainName)
| summarize
TI_ThreatTypes = make_set(ThreatType),
TI_Confidence = max(ConfidenceScore)
by DomainName;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(DestinationHostName) or isnotempty(RequestURL)
| extend MatchKey = coalesce(DestinationHostName, RequestURL)
| join kind=inner TI_Domains on $left.MatchKey == $right.DomainName
| summarize
FW_HitCount = count(),
FW_Users = make_set(SourceUserName, 10),
FW_SourceIPs = make_set(SourceIP, 10),
FW_Actions = make_set(DeviceAction, 5),
FW_Vendors = make_set(DeviceVendor),
TI_ThreatTypes = make_set(TI_ThreatTypes),
TI_Confidence = max(TI_Confidence),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MatchKey
| order by FW_HitCount descExplanation
This query is designed to detect potential security threats by analyzing firewall and proxy logs from Fortinet, Palo Alto, and Zscaler devices. It checks if any destination hostnames or URLs in these logs match known threat intelligence indicators of malicious domains. Here's a simplified breakdown:
-
Purpose: The query identifies when a domain or URL, flagged as a threat by threat intelligence sources, is accessed through the corporate network. This could indicate malicious activities such as command-and-control (C2) communication, phishing, or malware staging.
-
Data Sources: It uses logs from common security events and threat intelligence indicators.
-
Frequency and Scope: The query runs every 15 minutes and looks at data from the past day.
-
Process:
- It first gathers active threat intelligence domains from the past 30 days.
- Then, it examines firewall/proxy logs from the past day to find any matches with these threat intelligence domains.
- If a match is found, it collects details like the number of times the domain was accessed, the users and IPs involved, actions taken by the firewall, and the vendors of the devices.
-
Output: The results are sorted by the number of times a threat domain was accessed. It generates alerts with details such as the domain name, the number of hits, and the confidence level of the threat intelligence.
-
Alerts and Incidents: If a match is found, an alert is generated, and an incident is created. The alert includes a description of the potential threat and the number of times the domain was accessed.
-
Severity: The severity of this detection is marked as high, indicating a significant potential threat.
Overall, this query helps security teams quickly identify and respond to potential threats by correlating firewall activity with known malicious domains.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 15m
Period: 1d