KQL Search

Query Details

HomeAI ToolsDevice Query

IA Threat Intelligence Feed Evaluation Based On Domains IO Cs

Query

**[IA] - Threat Intelligence Feed Evaluation based on Domains IOCs**

| Technique ID | Title    |
| ---  | --- |
| T1566.002 | Phishing: Spearphishing Link  |


| Author | Sergio Albea (12/01/2026)   |
| ---  | --- |

TIFCE (Threat Intelligence Feed Content Evaluation) is a simple way to measure if a TI feed is actually useful based on four things — uniqueness, real matches, confirmed maliciousness, and activity.
🚨 TIFCE allows using one detection per IOC type (URLs, domains, file hashes) instead of dozens of rules per feed, keeping detections clean, centralized, and easy to maintain.
In addition, if you rely on threat intelligence for detection, it can be a good solution to how to evaluate current or new TI feeds.
```
/Sergio Albea 12-01-2026 TIFCE https://zenodo.org/records/18208974
let BotvrijRAW = externaldata(Url: string)[@'https://www.botvrij.eu/data/ioclist.domain']| extend Url = substring(Url, 0, indexof(Url, '#'))| where isnotempty(Url) or Url != ''| project TIFeed= 'BotvrijRAW',IOC= Url,Reference = 'https://www.botvrij.eu/data/ioclist.domain';
let montysecurity =externaldata(URLS:string)[@'https://raw.githubusercontent.com/montysecurity/C2-Tracker/refs/heads/main/data/all.txt'] with (format='csv') | project TIFeed= 'montysecurity',IOC= URLS,Reference = 'C2IntelFeeds';
 let PhishuntURLs = externaldata (Url: string) ['https://phishunt.io/feed.txt']| where Url !in ('https://www.google.com/chrome/','https://www.microsoft.com/en-us/microsoft-teams/log-in')| project TIFeed= 'PhishuntURLs',IOC= Url,Reference = 'https://hole.cert.pl/domains/v2/domains.txt';
 let C2IntelFeeds =externaldata(URLS:string)[@'https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/domainC2swithURLwithIP-30day-filter-abused.csv']with (format='csv') | where URLS !startswith '#' | project TIFeed= 'C2IntelFeeds',IOC= URLS,Reference = 'C2IntelFeeds';
 let Openphish =externaldata(URLS:string)[@'https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt']with (format='csv') | project TIFeed= 'OpenPhish',IOC= URLS,Reference = 'https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt';
 let URL_TweetFeedMonth =externaldata(DateUTC: datetime,SourceUser: string,Type: string,Value: string,Tags: string,Tweet: string)[@'https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv']with (format='csv') | where Type has 'url' | project TIFeed= 'URL_TweetFeedMonth',IOC= Value,Reference='https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv';
 //unify TIFeeds IOC List
 let URL_IOCs = union Openphish,C2IntelFeeds,URL_TweetFeedMonth,BotvrijRAW,PhishuntURLs;
 //ℹī¸ Remove the comments of the 2 following lines to get a summary of the IOCs present on distinct TI Feeds
 //URL_IOCs | summarize dcount(TIFeed),make_set(TIFeed) by IOC | order by dcount_TIFeed
//
   EmailUrlInfo   | where Timestamp > ago(30d) | join kind=inner (URL_IOCs) on $left.Url == $right.IOC
    | join kind=inner (EmailEvents) on NetworkMessageId | extend IPSender = iff(isnotempty( SenderIPv4),SenderIPv4,SenderIPv6) | extend Time_ = format_datetime( Timestamp, 'yyyy-MM-dd') 
    | summarize by Time_,TIFeed,IOC,DeliveryLocation, Url,Subject,IPSender, SenderMailFromDomain,Reference 
```

Explanation

This query is designed to evaluate the usefulness of various Threat Intelligence (TI) feeds by focusing on domain-based Indicators of Compromise (IOCs). Here's a simplified breakdown of what the query does:

  1. Data Sources: It pulls data from several external TI feeds, each providing a list of potentially malicious URLs or domains. These feeds include BotvrijRAW, MontySecurity, PhishuntURLs, C2IntelFeeds, OpenPhish, and URL_TweetFeedMonth.

  2. Data Processing:

    • For each feed, it extracts the URLs or domains and assigns them a label (TIFeed) and a reference link.
    • It filters out any empty or irrelevant entries and formats the data for further analysis.

  3. Unification: It combines all the extracted IOCs from the different feeds into a single list called URL_IOCs.

  4. Analysis:

    • It joins this unified list with email data (EmailUrlInfo) to find matches between the IOCs and URLs found in emails over the past 30 days.
    • It further joins with EmailEvents to gather additional details such as the sender's IP address and email subject.

  5. Output: The query summarizes the results by date, TI feed, IOC, and other relevant email details, providing insights into which feeds are detecting real threats and how these threats are manifesting in email communications.

Overall, this query helps security analysts evaluate the effectiveness of different TI feeds by checking for real-world matches in email traffic, focusing on the uniqueness, confirmed maliciousness, and activity of the IOCs.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 17, 2026

Tables

EmailUrlInfoEmailEvents

Keywords

ThreatIntelligenceDomainsIOCsUrlsEmailEvents

Operators

letexternaldataextendsubstringindexofwhereisnotemptyorprojectwithformat!in!startswithunionjoinkindon$left$rightiffsummarizebyformat_datetimeago

Actions