Query Details

Correlation: Firewall Traffic Matching Threat Intelligence Domain / URL

15 CSL Threat Intelligence Domain Match

Query

let TI_Domains =
    ThreatIntelligenceIndicator
    | where TimeGenerated > ago(30d)
    | where Active == true
    | where isnotempty(DomainName)
    | summarize
        TI_ThreatTypes = make_set(ThreatType),
        TI_Confidence  = max(ConfidenceScore)
      by DomainName;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where isnotempty(DestinationHostName) or isnotempty(RequestURL)
| extend MatchKey = coalesce(DestinationHostName, RequestURL)
| join kind=inner TI_Domains on $left.MatchKey == $right.DomainName
| summarize
    FW_HitCount    = count(),
    FW_Users       = make_set(SourceUserName, 10),
    FW_SourceIPs   = make_set(SourceIP, 10),
    FW_Actions     = make_set(DeviceAction, 5),
    FW_Vendors     = make_set(DeviceVendor),
    TI_ThreatTypes = make_set(TI_ThreatTypes),
    TI_Confidence  = max(TI_Confidence),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by MatchKey
| order by FW_HitCount desc

Explanation

This query is designed to detect potential security threats by analyzing firewall and proxy logs from Fortinet, Palo Alto, and Zscaler devices. It checks if any destination hostnames or URLs in these logs match known threat intelligence indicators of malicious domains. Here's a simplified breakdown:

  1. Purpose: The query identifies when a domain or URL, flagged as a threat by threat intelligence sources, is accessed through the corporate network. This could indicate malicious activities such as command-and-control (C2) communication, phishing, or malware staging.

  2. Data Sources: It uses logs from common security events and threat intelligence indicators.

  3. Frequency and Scope: The query runs every 15 minutes and looks at data from the past day.

  4. Process:

    • It first gathers active threat intelligence domains from the past 30 days.
    • Then, it examines firewall/proxy logs from the past day to find any matches with these threat intelligence domains.
    • If a match is found, it collects details like the number of times the domain was accessed, the users and IPs involved, actions taken by the firewall, and the vendors of the devices.
  5. Output: The results are sorted by the number of times a threat domain was accessed. It generates alerts with details such as the domain name, the number of hits, and the confidence level of the threat intelligence.

  6. Alerts and Incidents: If a match is found, an alert is generated, and an incident is created. The alert includes a description of the potential threat and the number of times the domain was accessed.

  7. Severity: The severity of this detection is marked as high, indicating a significant potential threat.

Overall, this query helps security teams quickly identify and respond to potential threats by correlating firewall activity with known malicious domains.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

ThreatIntelligenceIndicatorCommonSecurityLog

Keywords

FirewallTrafficThreatIntelligenceDomainURLFortinetPaloAltoZscalerThreatIntelligenceIndicatorCommonSecurityEventsCommonSecurityLogThreatIntelligenceCommandAndControlDNS

Operators

letwhereagoisnotemptysummarizemake_setmaxbyinextendcoalescejoinoncountminorder by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 15m

Period: 1d

Actions

GitHub