How to Extract the Confidence Score from the Anomali Feeds for Azure Sentinel

There’s some good instructions available on how to configure the Anomali feeds for Azure Sentinel.

See: https://cda.ms/2sC

When you enable and configure the Threat intelligence – TAXII (Preview), data is stored in the ThreatIntelligenceIndicator data table, which includes a ConfidenceScore column. The Anomali feeds contain a confidence score, however, its stowed away in a ThreatType column with additional information and not stored in the provided ConfidenceScore column. So, if you want to do anything with it, it has to be parsed out into its own data column.

This is where the fabulous KQL parse-where operator comes in. parse-where provides the ability to take a long string of text and split it up based on matching criteria instead of having to parse out the entire string.

The following KQL query uses this operator against the contents of the ThreatType column.

ThreatIntelligenceIndicator
| parse-where ThreatType with * "confidence-" Confidence_Score
| project NetworkIP, ThreatType, Confidence_Score, SourceSystem

The most current version of this query will always be located in my GitHub Repo here: https://cda.ms/2sG

As you can see in the image below, the string is split where it matches the text “confidence-” and then the remaining string (the actual score) is placed in the Confidence_Score column.

Confidence Score extracted

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]

Author