Build+Break+Secure

Where Every Failure Becomes A Manual

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

September 11, 2023 Wayne Andes 66 Views 0 Comments 2 min read

Description

This KQL query look for malicious DNS names detected by Fortinet based on Sentinel Threat Intelligence indicators.

Risk

Explain what risk this detection tries to cover.

Query

Microsoft Sentinel

Kusto

CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceAction != "deny" and DeviceAction != "close" and DeviceAction != "blocked" and isnotempty(DeviceAction)
| distinct DestinationHostName
| project DestinationHostName
| join kind = inner (
    ThreatIntelligenceIndicator
    | where DomainName != ''
) on $left.DestinationHostName == $right.DomainName

References

https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Fortinet%20FortiGate%20Next-Generation%20Firewall%20connector%20for%20Microsoft%20Sentinel

Leave a Reply Cancel reply