How do I Exclude Blocked IPs from Threat Activity Detected Rule?

cookislands — Wed, 28 Jun 2023 15:35:59 GMT

Hey,

I am wondering how can we modify the below query/rule to exclude IPs that have been blocked by firewall. orig_sourcetype="fortigate_utm".

Query:

| from datamodel:"Threat_Intelligence"."Threat_Activity" | dedup threat_match_field,threat_match_value | `get_event_id` | table _raw,event_id,source,src,dest,src_user,user,threat*,weight | rename weight as record_weight | `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` | `get_threat_attribution(threat_key)` | rename source_* as threat_source_*,description as threat_description | fields - *time | eval risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()),risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),risk_hash=if(threat_match_field IN("file_hash"),threat_match_value,null()),risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",threat_match_value,null()),risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",threat_match_value,null()),risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",threat_match_value,null()) | search (src=10.0.0.0/8 OR src=172.16.0.0/12 OR src=192.168.0.0/16)

topic How do I Exclude Blocked IPs from Threat Activity Detected Rule? in Other Usage

How do I Exclude Blocked IPs from Threat Activity Detected Rule?