Detection rules › Kusto
Google Threat Intelligence - Threat Hunting IP
Google Threat Intelligence IP correlation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071 Application Layer Protocol |
Event coverage
Rule body kusto
id: "7edb2abb-7ef7-4685-92eb-a628703ccf9f"
name: Google Threat Intelligence - Threat Hunting IP
description: |
'Google Threat Intelligence IP correlation.'
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelIndicators
queryFrequency: 30m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: 'Google Threat Intelligence Match'
alertDescriptionFormat: 'Correlation found from the {{Type}} table.'
query: |
let ioc_lookBack = 1d;
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| join kind=inner (
ThreatIntelIndicators
| where ObservableKey == 'ipv4-addr:value'
| where isnotempty(ObservableValue)
| where SourceSystem == "Google Threat Intelligence"
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
) on $left.DstIpAddr == $right.ObservableValue
| project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: NetworkIP
version: 1.0.0
kind: Scheduled
Stages and Predicates
Parameters
let ioc_lookBack = 1d;
Stage 1: source
_Im_NetworkSession
Stage 2: where
| where isnotempty(DstIpAddr)
Stage 3: join
| join kind=inner (
ThreatIntelIndicators
| where ObservableKey == 'ipv4-addr:value'
| where isnotempty(ObservableValue)
| where SourceSystem == "Google Threat Intelligence"
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
) on $left.DstIpAddr == $right.ObservableValue
Stage 4: project
| project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated
Stage 5: summarize
summarize by Id
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DstIpAddr | is_not_null | |
IsActive | eq |
|
ObservableKey | eq |
|
ObservableValue | is_not_null | |
SourceSystem | eq |
|
ValidUntil | is_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
Id | summarize |