ThreatIntelligenceIndicator - correlating with other log feeds in sentinel using kql

Iron Contributor

Hi there,

Has anyone tried using kql to map threat feeds to the entities (or whatever) in the existing alerts in Sentinel?


For example, if I start with this, I get a list of source IPs that match threat intel domain names:

|where DnsQuery <> ""
|join ThreatIntelligenceIndicator on $left.DnsQuery == $right.DomainName
|Distinct HostIP


I'd like to match those HostIPs to any alerts that include those IPs.

For example is there a way to query the "Entity Behaviours" in Sentinel and see if there's a match?



1 Reply

So I did a join on the first table and the threatintelligence table and used 'let' to save the result to a temporary table.

Then I did the join again on the second table with the first table above.
That seems to work
I added test variables for easier validation:

let table1 = (SecurityAlert|where TimeGenerated > now(-30d)|mv-expand todynamic(Entities)
|extend Type_ = tostring(Entities.Type)|where Type_ == "ip"| where Entities.Address <> ""
|extend field1 = "" // test field in table1.
|join kind=inner (ThreatIntelligenceIndicator) on $left.field1 == $right.NetworkIP

//now we have 2 tables with matching data because I added "" to the threatintelligence table.
|project field1, NetworkIP); // just to keep the output simple.
Infoblox_dnsclient // now it's time to join the infoblox table to the above results.
|where TimeGenerated > now(-8d)|take 5
|extend field2 = "" // test field in table2
|project field2
|join kind=inner table1 on $left.field2 == $right.field1

//field1 from alerts/threatintelligence and field2 from Infoblox.


Does anyone think this is a good idea for creating alerts with a very low number of false positives?
Can you suggest a list of log sources where this could be useful? eg:

EDR + ThreatIntelligence + any of the following:

  1. Defender for O365 - mapped by user/email
  2. Living off the Land powershell events - mapped by Host IP (eg curl/wget to external IP)
  3. PaloAlto THREAT logs - mapped by outbound source IP
    FIM - file integrity monitor - mapped by host IP
  4. Honeytokens - password spray hits honeytoken user account - mapped by host IP
  5. Any policy violations - network scan, password spray, etc - mapped by host IP

So you can do just a join on any of the above 5 AND EDR, or go further and also join in threatintelligence for a higher severity alert?