Forum Discussion
Sentinel ThreatIntelligenceIndicator
Hello, I'm trying to join syslog with the threat intelligence indicator. This is what i have so far: Syslog | extend NetworkIP = SyslogMessage | join ThreatIntelligenceIndicator on NetworkI...
Syslogmessage can be in a few different formats depending on the Vendor. This example uses an extract to find the value after "dst=" (the destination IP), you will have to adapt for your string/format.
Syslog
| project SyslogMessage
| extend dstIP = extract(@'dst=\"?([\w\.]+)\"?', 1, SyslogMessage)
| join kind = rightanti
(
ThreatIntelligenceIndicator
| project NetworkIP, ThreatType, Active, TimeGenerated, Url
)on $left.dstIP == $right.NetworkIP
| where Active == true
| summarize by TimeGenerated, Url, ThreatType, NetworkIP.
The Sentinel Github is a good source of examples: Search · syslogmessage (github.com)