Query Details

Correlation: Firewall Traffic Matching Threat Intelligence Domain / URL

15 CSL Threat Intelligence Domain Match

Query

let TI_Domains =
    ThreatIntelligenceIndicator
    | where TimeGenerated > ago(30d)
    | where Active == true
    | where isnotempty(DomainName)
    | summarize
        TI_ThreatTypes = make_set(ThreatType),
        TI_Confidence  = max(ConfidenceScore)
      by DomainName;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(DestinationHostName) or isnotempty(RequestURL)
| extend MatchKey = coalesce(DestinationHostName, RequestURL)
| join kind=inner TI_Domains on $left.MatchKey == $right.DomainName
| summarize
    FW_HitCount    = count(),
    FW_Users       = make_set(SourceUserName, 10),
    FW_SourceIPs   = make_set(SourceIP, 10),
    FW_Actions     = make_set(DeviceAction, 5),
    FW_Vendors     = make_set(DeviceVendor),
    TI_ThreatTypes = make_set(TI_ThreatTypes),
    TI_Confidence  = max(TI_Confidence),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by MatchKey
| order by FW_HitCount desc

Explanation

This query is designed to monitor and detect potential security threats by analyzing firewall and proxy logs from Fortinet, Palo Alto, and Zscaler devices. It specifically looks for instances where destination hostnames or URLs match known threat intelligence indicators of malicious domains.

Here's a simplified breakdown of what the query does:

  1. Threat Intelligence Data: It retrieves active threat intelligence indicators related to domain names from the last 30 days, focusing on those with a confidence score.

  2. Firewall/Proxy Logs: It examines logs from the past day, filtering for entries from specified vendors (Fortinet, Palo Alto, Zscaler) where a destination hostname or URL is present.

  3. Matching Process: The query matches these hostnames or URLs against the threat intelligence data to identify any overlaps.

  4. Data Aggregation: For each match, it compiles various details such as the number of times the domain was accessed (hit count), the users and source IPs involved, actions taken by the firewall, and the vendors of the devices that logged the activity.

  5. Alert Generation: If any matches are found, an alert is generated. The alert includes details like the domain name, the number of times it was accessed, and the confidence level of the threat intelligence indicator. This helps identify potential command-and-control (C2) communications, phishing activities, or malware staging attempts.

  6. Incident Management: The query is set to create incidents for detected threats, with configurations to group related alerts and manage incident lifecycles effectively.

Overall, this query helps security teams quickly identify and respond to potential threats by correlating firewall/proxy logs with threat intelligence data.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

ThreatIntelligenceIndicatorCommonSecurityLog

Keywords

ThreatIntelligenceIndicatorCommonSecurityLogDomainNameDestinationHostNameRequestURLSourceUserNameSourceIPDeviceActionDeviceVendorTimeGenerated

Operators

letwhereagoisnotemptysummarizemake_setmaxbyincoalescejoinoncountminorder bydesc

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 15m

Period: 1d

Actions

GitHub