Correlation: Firewall Traffic Matching Threat Intelligence Domain / URL
15 CSL Threat Intelligence Domain Match
Query
let TI_Domains =
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where Active == true
| where isnotempty(DomainName)
| summarize
TI_ThreatTypes = make_set(ThreatType),
TI_Confidence = max(ConfidenceScore)
by DomainName;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(DestinationHostName) or isnotempty(RequestURL)
| extend MatchKey = coalesce(DestinationHostName, RequestURL)
| join kind=inner TI_Domains on $left.MatchKey == $right.DomainName
| summarize
FW_HitCount = count(),
FW_Users = make_set(SourceUserName, 10),
FW_SourceIPs = make_set(SourceIP, 10),
FW_Actions = make_set(DeviceAction, 5),
FW_Vendors = make_set(DeviceVendor),
TI_ThreatTypes = make_set(TI_ThreatTypes),
TI_Confidence = max(TI_Confidence),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MatchKey
| order by FW_HitCount descExplanation
This query is designed to monitor and detect potential security threats by analyzing firewall and proxy logs from Fortinet, Palo Alto, and Zscaler devices. It specifically looks for instances where destination hostnames or URLs match known threat intelligence indicators of malicious domains.
Here's a simplified breakdown of what the query does:
-
Threat Intelligence Data: It retrieves active threat intelligence indicators related to domain names from the last 30 days, focusing on those with a confidence score.
-
Firewall/Proxy Logs: It examines logs from the past day, filtering for entries from specified vendors (Fortinet, Palo Alto, Zscaler) where a destination hostname or URL is present.
-
Matching Process: The query matches these hostnames or URLs against the threat intelligence data to identify any overlaps.
-
Data Aggregation: For each match, it compiles various details such as the number of times the domain was accessed (hit count), the users and source IPs involved, actions taken by the firewall, and the vendors of the devices that logged the activity.
-
Alert Generation: If any matches are found, an alert is generated. The alert includes details like the domain name, the number of times it was accessed, and the confidence level of the threat intelligence indicator. This helps identify potential command-and-control (C2) communications, phishing activities, or malware staging attempts.
-
Incident Management: The query is set to create incidents for detected threats, with configurations to group related alerts and manage incident lifecycles effectively.
Overall, this query helps security teams quickly identify and respond to potential threats by correlating firewall/proxy logs with threat intelligence data.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 15m
Period: 1d