Forum Discussion
Minemeld Threat Intel Integration to Sentinel
Ah ok, sorry as I don't have the the raw data I assumed the CIDR was in multiple rows. You will probably have to check with a IP4_is_match in that case, use this as a starting point
let tiIP = toscalar(ThreatIntelligenceIndicator
//| where isnotempty(NetworkCidrBlock)
// add in a fake CICRblock
| summarize by NetworkCidrBlock = "193.228.91.0/26");
SigninLogs
// add a fake IP
| project IPAddress = "193.228.91.63"
| summarize by IPAddress, tiIP, found_IP_inCIDRblock=ipv4_is_match(IPAddress, tiIP)
When I pass in .63 its within the CIDR range, so the last column == true
| IPAddress | __scalar_89df8fb8a4a94d418dfea734f7a12561 | found_IP_inCIDRblock |
|---|---|---|
| 193.228.91.63 | 193.228.91.0/26 | true |
else, when I use .64
| IPAddress | __scalar_87a8d226aae14e3bb6dd5fd09ff9472e | found_IP_inCIDRblock |
|---|---|---|
| 193.228.91.64 | 193.228.91.0/26 | false |
You may even need to use this in a Function - as an idea?
let tiIP = toscalar(ThreatIntelligenceIndicator
| where isnotempty(NetworkCidrBlock)
| summarize by NetworkCidrBlock);
SigninLogs
| project IPAddress
| summarize by IPAddress, tiIP, found_IP_inCIDRblock=ipv4_is_match(IPAddress, tiIP)
or even just get the latest CIDR block, with arg_max?
let tiIP = toscalar(ThreatIntelligenceIndicator
| where isnotempty(NetworkCidrBlock)
| summarize arg_max(NetworkCidrBlock,*) );
SigninLogs
| project IPAddress
| summarize by IPAddress, tiIP, found_IP_inCIDRblock=ipv4_is_match(IPAddress, tiIP)
Thank you, that works for a single NetworkCIDRblock value, when you import TI from Minemeld it comes with a lot of records with different CIDR block values.
1. 141.98.81.0/24
2. 94.102.51.0/24
...and so on.
The latest query seems to only take the first NetworkCIDRblock record into consideration so if there's an IPAddress in the Signinlogs between 94.102.51.0-94.102.51.255 it wouldn't trigger.
Tried to send you a PM but it keeps timing out. Here's the output from the query:
TenantId TimeGenerated SourceSystem Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description ExternalIndicatorId ExpirationDateTime IndicatorId ThreatType Active MalwareNames Tags TrafficLightProtocolLevel NetworkCidrBlock Type 56241ceb-e7c3-4e86-a1d1-5b811ca58c07 2020-10-06T20:36:44.366Z SecurityGraph alert [] 6bfdb47a-cb3e-4b91-854a-9d201e501f6a 50 IPv4 indicator from ET.compromised_ips IPv4:162.246.232.59-162.246.232.59 2020-11-04T20:35:13.158Z AFA511155E730E2B3F1F94B17AF122047A1A06725768DECD237FF4A9DA364349 Malware TRUE [] [] green 162.246.232.59/32 ThreatIntelligenceIndicator 56241ceb-e7c3-4e86-a1d1-5b811ca58c07 2020-10-06T20:36:44.421Z SecurityGraph alert [] 6bfdb47a-cb3e-4b91-854a-9d201e501f6a 100 IPv4 indicator from dshield.block IPv4:94.102.56.0-94.102.56.237 2020-11-04T20:35:13.165Z 8F932C6DE5E12C584EB97336A31D4AE784F8A5D4FCF9B8BFAF66FB649DE451A7 Malware TRUE [] [] green 94.102.56.232/30 ThreatIntelligenceIndicator 56241ceb-e7c3-4e86-a1d1-5b811ca58c07 2020-10-06T20:36:44.46Z SecurityGraph alert [] 6bfdb47a-cb3e-4b91-854a-9d201e501f6a 100 IPv4 indicator from dshield.block IPv4:94.102.56.239-94.102.56.255 2020-11-04T20:35:13.166Z 319E70E85C9E8EA6FF09144DAAAF9834153EEDF4FAB80D563C3AFD4B474D54C6 Malware TRUE [] [] green 94.102.56.239/32 ThreatIntelligenceIndicator 56241ceb-e7c3-4e86-a1d1-5b811ca58c07 2020-10-06T20:36:44.48Z SecurityGraph alert [] 6bfdb47a-cb3e-4b91-854a-9d201e501f6a 100 IPv4 indicator from dshield.block IPv4:45.129.33.0-45.129.33.255 2020-11-04T20:35:13.144Z 98608B1CF8142DB574A10AAFFB7FABF4941A5E10D389F884ED59C951A6B374CE Malware TRUE [] [] green 45.129.33.0/24 ThreatIntelligenceIndicator 56241ceb-e7c3-4e86-a1d1-5b811ca58c07 2020-10-06T20:36:44.492Z SecurityGraph alert [] 6bfdb47a-cb3e-4b91-854a-9d201e501f6a 50 IPv4 indicator from ET.compromised_ips IPv4:93.123.16.135-93.123.16.135 2020-11-04T20:35:13.158Z 0C29DB110C776891A25CCFF4306B1765983CD84F8F5D871EEE64B46E0E239857 Malware TRUE [] [] green 93.123.16.135/32 ThreatIntelligenceIndicatorAre we slowly getting to an answer, sorry its taken a while but its hard to do without seeing or having this data?
I have used a DataTable to emulate 2 rows of the data I think you are seeing, using 3 just columns: TimeGenerated, NetworkCidrBlock and NetworkIP. Now I have made an assumption that the NetworkIP appears in the same rows as a CIDR block and its an IP that I can use for the Join????? Is it one somewhere in the CIDR block or the first one?let ThreatIntelligenceIndicator = datatable (timeGenerated:datetime,NetworkCidrBlock:string, NetworkIP:string) [ datetime("10/7/2020, 1:25:34.971 PM"),"193.228.91.0/26","193.228.91.0", datetime("10/7/2020, 1:25:35.971 PM"),"94.102.51.0/36","94.102.51.0" ] ; ThreatIntelligenceIndicator | join ( SigninLogs | project IPAddress = "94.102.51.0" ) on $left.NetworkIP == $right.IPAddress | summarize by IPAddress, NetworkCidrBlock, found_IP_inCIDRblock=ipv4_is_match(IPAddress, NetworkCidrBlock)You should just be able to take the above and run this part - as shown below (if my assumption that the NetworkIP == IPAddress in SigninLogs is right?), if not we need another column to join the data on:
ThreatIntelligenceIndicator | join ( SigninLogs //| project IPAddress = "94.102.51.63" ) on $left.NetworkIP == $right.IPAddress | summarize by IPAddress, NetworkCidrBlock, found_IP_inCIDRblock=ipv4_is_match(IPAddress, NetworkCidrBlock)
It would help to see a few lines of the real data from Minemeld - perhaps you can runThreatIntelligenceIndicator| limit 5And export this to Excel in the GUI and send me a private message with it, if you don't want to share it here?Thanks Clive