Query Details
Threat Intelligence Indicator Stopped Event Reception Threat Intelligence Indicator
Query
let query_frequency = 1h;
let query_period = 3d;
let _ExpectedFrequencies =
_GetWatchlist('DataType-IngestedTables')
| where Type == "ThreatIntelligenceIndicator"
| project Type, Critical, ExpectedIngestionFrequency = totimespan(Frequency)
;
ThreatIntelligenceIndicator
| where TimeGenerated > ago(query_period)
| where not(ExternalIndicatorId has "indicator--")
| summarize IngestionTime = max(ingestion_time()) by Type
| lookup kind=inner _ExpectedFrequencies on Type
| where IngestionTime between (ago(ExpectedIngestionFrequency + query_frequency) .. ago(ExpectedIngestionFrequency))
| extend
TimespanWithoutIngestion = now() - IngestionTime,
AlertSeverity = case(
Critical == "true", "High",
"Informational"
)
| project Type, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, AlertSeverity
Explanation
The query is retrieving threat intelligence indicators and checking if they have been ingested within the expected frequency. It then calculates the time since the last ingestion and assigns an alert severity based on the criticality of the indicator. The results include the indicator type, criticality, expected ingestion frequency, time without ingestion, and alert severity.
Details
Jose Sebastián Canós
Released: October 27, 2022
Tables
ThreatIntelligenceIndicator
Keywords
ThreatIntelligenceIndicator,DataType-IngestedTables
Operators
whereprojecttotimespanagonotsummarizemaxlookupbetweenextendnowcase