KQL Search

Query Details

HomeAI ToolsDevice Query

Url Haus Abusech Hits In Microsoft Teams

Query

**UrlHaus Abuse.ch Hits in Microsoft Teams**

This Query is oriented to identify Malicious URL sent via Microsoft Teams and detect possible hits.

```
//UrlHaus Abuse.ch Hits in Microsoft Teams
let URLHausOnlineRAW = externaldata (UHFeed:string) ["https:// urlhaus.abuse.ch /downloads/csv_online/"] with(format="txt")
| where UHFeed !startswith "#"
| extend UHRAW=replace_string(UHFeed, '"', '')
| project splitted=split(UHRAW, ',')
| mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8]
| extend UHUrl = tostring(UHUrl);
 CloudAppEvents 
| where Application has "Microsoft Teams"
| extend MessageURLs = tostring(todynamic(RawEventData).MessageURLs)
| extend MessageURLs_ = substring(MessageURLs, 2, strlen(MessageURLs) - 4)
| join kind=inner URLHausOnlineRAW on $left.MessageURLs_ == $right.UHUrl
```

Explanation

This query is designed to identify malicious URLs that have been sent via Microsoft Teams by cross-referencing them with a list of known malicious URLs from the UrlHaus Abuse.ch database. Here's a simplified breakdown of what the query does:

  1. Fetch Malicious URLs: It retrieves a list of currently active malicious URLs from the UrlHaus Abuse.ch database. This data is in CSV format and is filtered to exclude any lines that start with a hash (#), which are typically comments.

  2. Process the Data: The query processes this data by removing any quotation marks and splitting each line into separate fields such as ID, date added, URL, status, last online date, threat type, tags, link, and reporter.

  3. Extract URLs from Teams: It then looks at events from Microsoft Teams, specifically focusing on URLs that have been sent in messages. It extracts these URLs from the raw event data.

  4. Match URLs: The query performs an inner join between the URLs extracted from Teams messages and the list of malicious URLs from UrlHaus. This means it finds any URLs that appear in both datasets.

The result is a list of URLs that have been sent via Microsoft Teams and are also listed as malicious in the UrlHaus database, indicating potential security threats that need to be addressed.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 10, 2024

Tables

CloudAppEvents

Keywords

UrlMicrosoftTeamsCloudAppEvents

Operators

letexternaldatawhereextendreplace_stringprojectsplitmv-expandtostringCloudAppEventshastodynamicsubstringstrlenjoin

Actions