There’s some good instructions available on how to configure the Anomali feeds for Azure Sentinel.
When you enable and configure the Threat intelligence – TAXII (Preview), data is stored in the ThreatIntelligenceIndicator data table, which includes a ConfidenceScore column. The Anomali feeds contain a confidence score, however, its stowed away in a ThreatType column with additional information and not stored in the provided ConfidenceScore column. So, if you want to do anything with it, it has to be parsed out into its own data column.
This is where the fabulous KQL parse-where operator comes in. parse-where provides the ability to take a long string of text and split it up based on matching criteria instead of having to parse out the entire string.
The following KQL query uses this operator against the contents of the ThreatType column.
ThreatIntelligenceIndicator | parse-where ThreatType with * "confidence-" Confidence_Score | project NetworkIP, ThreatType, Confidence_Score, SourceSystem
The most current version of this query will always be located in my GitHub Repo here: https://cda.ms/2sG
As you can see in the image below, the string is split where it matches the text “confidence-” and then the remaining string (the actual score) is placed in the Confidence_Score column.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
[Subscribe to the Bi-Weekly Azure Security Center Newsletter]
You must log in to post a comment.