Forum Discussion

Copper Contributor

Apr 10, 2020

Minemeld Threat Intel Integration to Sentinel

Hello guys, I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned...

GabrielNecula

Copper Contributor

May 19, 2020

pavankemi nope, will likely be done at query time in Sentinel. Please let me know if you find any other workarounds.
I've checked the python code and it seems like it SHOULD provide single ips, not ranges. No idea how to solve this.

GaryBushey

Bronze Contributor

May 19, 2020

GabrielNecula I have a column called NetworkCidrBlock that shows me the same information in CIDR notation. I am using the Mindmeld free stream.

GabrielNecula
Copper Contributor
May 19, 2020
GaryBushey
I know but you'd still have to parse the "/32" at query time. If it's anything other than /32, you will have to interpret that range somehow which is still hard.
- GaryBushey
  Bronze Contributor
  May 19, 2020
  GabrielNecula Take a look at the KQL command ipv4_is_match(). It can match using CIDR notations.
  - JoachimLassus
    Copper Contributor
    Oct 01, 2020
    GaryBushey
    
    Hi Gary, the TI queries join the SigninLogs or AzureActivity tables with TI using IP address so I don't understand how to use ipv4_is_match() in this scenario.
    
    ThreatIntelligenceIndicator
    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
    | join (
    SigninLogs
    )
    on $left.TI_ipEntity == $right.IPAddress
    
    If Minmeld doesnt have NetworkIP and instead have a CIDR value, how would match the values before joining?
    
    Regards,
    Joachim