KQL Search

Query Details

15 CSL Threat Intelligence Domain Match

Query

id: c5d6e7f8-a9b0-4c1d-2e3f-4a5b6c7d8e9f
name: "Correlation: Firewall Traffic Matching Threat Intelligence Domain / URL"
version: 1.0.0
kind: Scheduled
description: |
  Matches destination hostnames and URLs from firewall/proxy logs (Fortinet, Palo Alto, Zscaler)
  against active threat intelligence domain indicators in the ThreatIntelligenceIndicator table.
  A TI-flagged domain being resolved or accessed through the corporate perimeter — even if not
  blocked — indicates active C2 communication, phishing activity, or malware staging.
  MITRE ATT&CK: T1071 (Application Layer Protocol)
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelligenceIndicator
queryFrequency: 15m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let TI_Domains =
      ThreatIntelligenceIndicator
      | where TimeGenerated > ago(30d)
      | where Active == true
      | where isnotempty(DomainName)
      | summarize
          TI_ThreatTypes = make_set(ThreatType),
          TI_Confidence  = max(ConfidenceScore)
        by DomainName;
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where isnotempty(DestinationHostName) or isnotempty(RequestURL)
  | extend MatchKey = coalesce(DestinationHostName, RequestURL)
  | join kind=inner TI_Domains on $left.MatchKey == $right.DomainName
  | summarize
      FW_HitCount    = count(),
      FW_Users       = make_set(SourceUserName, 10),
      FW_SourceIPs   = make_set(SourceIP, 10),
      FW_Actions     = make_set(DeviceAction, 5),
      FW_Vendors     = make_set(DeviceVendor),
      TI_ThreatTypes = make_set(TI_ThreatTypes),
      TI_Confidence  = max(TI_Confidence),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by MatchKey
  | order by FW_HitCount desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: MatchKey
customDetails:
  FW_HitCount: FW_HitCount
  TI_Confidence: TI_Confidence
alertDetailsOverride:
  alertDisplayNameFormat: "TI Domain Match in Firewall - {{MatchKey}} ({{FW_HitCount}} hits)"
  alertDescriptionFormat: "TI-flagged domain {{MatchKey}} (confidence: {{TI_Confidence}}) was contacted through the firewall {{FW_HitCount}} times. Possible C2 or active malware communication."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to monitor and detect potential security threats by analyzing firewall and proxy logs from Fortinet, Palo Alto, and Zscaler devices. It specifically looks for instances where destination hostnames or URLs match known threat intelligence indicators of malicious domains.

Here's a simplified breakdown of what the query does:

  1. Threat Intelligence Data: It retrieves active threat intelligence indicators related to domain names from the last 30 days, focusing on those with a confidence score.

  2. Firewall/Proxy Logs: It examines logs from the past day, filtering for entries from specified vendors (Fortinet, Palo Alto, Zscaler) where a destination hostname or URL is present.

  3. Matching Process: The query matches these hostnames or URLs against the threat intelligence data to identify any overlaps.

  4. Data Aggregation: For each match, it compiles various details such as the number of times the domain was accessed (hit count), the users and source IPs involved, actions taken by the firewall, and the vendors of the devices that logged the activity.

  5. Alert Generation: If any matches are found, an alert is generated. The alert includes details like the domain name, the number of times it was accessed, and the confidence level of the threat intelligence indicator. This helps identify potential command-and-control (C2) communications, phishing activities, or malware staging attempts.

  6. Incident Management: The query is set to create incidents for detected threats, with configurations to group related alerts and manage incident lifecycles effectively.

Overall, this query helps security teams quickly identify and respond to potential threats by correlating firewall/proxy logs with threat intelligence data.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

ThreatIntelligenceIndicatorCommonSecurityLog

Keywords

ThreatIntelligenceIndicatorCommonSecurityLogDomainNameDestinationHostNameRequestURLSourceUserNameSourceIPDeviceActionDeviceVendorTimeGenerated

Operators

letwhereagoisnotemptysummarizemake_setmaxbyincoalescejoinoncountminorder bydesc

Actions