Forum Discussion
Microsoft URL threat intelligence - Azure Sentinel integration
Hi !
I read in some ms articles that it is possible to match urls from custom logs to mircosoft URL threat intelligence. But I can't find any guide to do this. Is there any information availbale to match urls from example firewall logs to Microsoft URL threat intelligence.
Thanks
- CliveWatson
Microsoft
Using CommonSecurityLog (instead of a custom log); this finds a matching Url in ThreatIntelligenceIndicatorthat that is also in CommonSecurityLog. This is a very basic example.
ThreatIntelligenceIndicator | where isnotempty(Url) | parse Url with * "http://" strUrl "/" * | where isnotempty(strUrl) | summarize by RequestURLti=strUrl, Url | join ( CommonSecurityLog | where isnotempty(RequestURL) and RequestURL != '/' | summarize by RequestURL ) on $left.RequestURLti == $right.RequestURL
