Forum Discussion
Sentinel Threat Intelligence Detection Rule
I'm working on connecting various Threat Intelligenece TAXII with our sentinel platform. Does anyone have suggestions on the kind of detection rules using KQL we can build around these TAXII's. Most of the come with IP's, URLS, domain and hash values. Thanks in advance.
Try on below:
1. IP Addresses
Detect connections to known malicious IP addresses:SecurityEvent | where SourceIP in ("known_malicious_ip1", "known_malicious_ip2", ...) | summarize Count() by SourceIP, DestinationIP | where Count > 02. URLs
Detect access to malicious URLs:AuditLogs | where Url contains "known_malicious_url" | summarize Count() by Url, UserPrincipalName | where Count > 03. Domains
Detect connections to malicious domains:NetworkActivity | where DomainName in ("known_malicious_domain1", "known_malicious_domain2", ...) | summarize Count() by DomainName, SourceIP | where Count > 04. Hash Values
Detect files with known malicious hash values:ProcessEvent | where FileHash in ("known_malicious_hash1", "known_malicious_hash2", ...) | summarize Count() by FileHash, FileName | where Count > 0Thank you for your response. Is there any way to make a generic detection rule, so any time any IOC'S fed into sentinel from these threat intelligence platform find a matching log in our environment, it creates an alert? like instead of specifying each IPs, or hashes or URLS, it look for all IP's listed in that columns, or all URLS in that?
