Sentinel ThreatIntelligenceIndicator

Occasional Contributor

Hello,

 

I'm trying to join syslog with the threat intelligence indicator. This is what i have so far:

 

Syslog

| extend NetworkIP = SyslogMessage

| join ThreatIntelligenceIndicator on NetworkIP

| where Active == true

| summarize by TimeGenerated, Url, ThreatType, NetworkIP

 

The issue is that I'm trying to match the IP's that are within the SyslogMessage to the ThreatIntelligenceIndicator malicious IPs and since there are a lot of words before the actual IP's within the syslogmessage, I'm not going to get any hits. Can someone please point me to the right direction? 

1 Reply

@idontknowanything 

 

Syslogmessage can be in a few different formats depending on the Vendor.  This example uses an extract to find the value after "dst="   (the destination IP), you will have to adapt for your string/format.

Syslog
| project SyslogMessage
| extend dstIP = extract(@'dst=\"?([\w\.]+)\"?', 1, SyslogMessage)
| join kind = rightanti 
    (
    ThreatIntelligenceIndicator 
    | project NetworkIP, ThreatType, Active, TimeGenerated, Url
    )on $left.dstIP == $right.NetworkIP
| where Active == true
| summarize by TimeGenerated, Url, ThreatType, NetworkIP

.
The Sentinel Github is a good source of examples: Search · syslogmessage (github.com)