So I did a join on the first table and the threatintelligence table and used 'let' to save the result to a temporary table.
Then I did the join again on the second table with the first table above.
That seems to work
I added test variables for easier validation:
let table1 = (SecurityAlert|where TimeGenerated > now(-30d)|mv-expand todynamic(Entities)
|extend Type_ = tostring(Entities.Type)|where Type_ == "ip"| where Entities.Address <> ""
|extend field1 = "10.10.10.10" // test field in table1.
|join kind=inner (ThreatIntelligenceIndicator) on $left.field1 == $right.NetworkIP
//now we have 2 tables with matching data because I added "10.10.10.10" to the threatintelligence table.
|project field1, NetworkIP); // just to keep the output simple.
Infoblox_dnsclient // now it's time to join the infoblox table to the above results.
|where TimeGenerated > now(-8d)|take 5
|extend field2 = "10.10.10.10" // test field in table2
|project field2
|join kind=inner table1 on $left.field2 == $right.field1
//field1 from alerts/threatintelligence and field2 from Infoblox.
Does anyone think this is a good idea for creating alerts with a very low number of false positives?
Can you suggest a list of log sources where this could be useful? eg:
EDR + ThreatIntelligence + any of the following:
- Defender for O365 - mapped by user/email
- Living off the Land powershell events - mapped by Host IP (eg curl/wget to external IP)
- PaloAlto THREAT logs - mapped by outbound source IP
FIM - file integrity monitor - mapped by host IP - Honeytokens - password spray hits honeytoken user account - mapped by host IP
- Any policy violations - network scan, password spray, etc - mapped by host IP
So you can do just a join on any of the above 5 AND EDR, or go further and also join in threatintelligence for a higher severity alert?
