Forum Discussion
Sentinel ThreatIntelligenceIndicator
Hello,
I'm trying to join syslog with the threat intelligence indicator. This is what i have so far:
Syslog
| extend NetworkIP = SyslogMessage
| join ThreatIntelligenceIndicator on NetworkIP
| where Active == true
| summarize by TimeGenerated, Url, ThreatType, NetworkIP
The issue is that I'm trying to match the IP's that are within the SyslogMessage to the ThreatIntelligenceIndicator malicious IPs and since there are a lot of words before the actual IP's within the syslogmessage, I'm not going to get any hits. Can someone please point me to the right direction?
Syslogmessage can be in a few different formats depending on the Vendor. This example uses an extract to find the value after "dst=" (the destination IP), you will have to adapt for your string/format.
Syslog | project SyslogMessage | extend dstIP = extract(@'dst=\"?([\w\.]+)\"?', 1, SyslogMessage) | join kind = rightanti ( ThreatIntelligenceIndicator | project NetworkIP, ThreatType, Active, TimeGenerated, Url )on $left.dstIP == $right.NetworkIP | where Active == true | summarize by TimeGenerated, Url, ThreatType, NetworkIP.
The Sentinel Github is a good source of examples: Search · syslogmessage (github.com)
