Query Details
IA Threat Intelligence Feed Evaluation Based On URL IO Cs
Query
**[IA] - Threat Intelligence Feed Evaluation based on URL IOCs**
| Technique ID | Title |
| --- | --- |
| T1566.002 | Phishing: Spearphishing Link |
| Author | Sergio Albea (12/01/2026) |
| --- | --- |
TIFCE (Threat Intelligence Feed Content Evaluation) is a simple way to measure if a TI feed is actually useful based on four things â uniqueness, real matches, confirmed maliciousness, and activity.
đ¨ TIFCE allows using one detection per IOC type (URLs, domains, file hashes) instead of dozens of rules per feed, keeping detections clean, centralized, and easy to maintain.
In addition, if you rely on threat intelligence for detection, it can be a good solution to how to evaluate current or new TI feeds.
```//Sergio Albea 12-01-2026 TIFCE https://zenodo.org/records/18208974
let BotvrijRAW = externaldata(Url: string)[@'https://www.botvrij.eu/data/ioclist.domain']| extend Url = substring(Url, 0, indexof(Url, '#'))| where isnotempty(Url) or Url != ''| project TIFeed= 'BotvrijRAW',IOC= Url,Reference = 'https://www.botvrij.eu/data/ioclist.domain';
let montysecurity =externaldata(URLS:string)[@'https://raw.githubusercontent.com/montysecurity/C2-Tracker/refs/heads/main/data/all.txt'] with (format='csv') | project TIFeed= 'montysecurity',IOC= URLS,Reference = 'C2IntelFeeds';
let PhishuntURLs = externaldata (Url: string) ['https://phishunt.io/feed.txt']| where Url !in ('https://www.google.com/chrome/','https://www.microsoft.com/en-us/microsoft-teams/log-in')| project TIFeed= 'PhishuntURLs',IOC= Url,Reference = 'https://hole.cert.pl/domains/v2/domains.txt';
let C2IntelFeeds =externaldata(URLS:string)[@'https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/domainC2swithURLwithIP-30day-filter-abused.csv']with (format='csv') | where URLS !startswith '#' | project TIFeed= 'C2IntelFeeds',IOC= URLS,Reference = 'C2IntelFeeds';
let Openphish =externaldata(URLS:string)[@'https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt']with (format='csv') | project TIFeed= 'OpenPhish',IOC= URLS,Reference = 'https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt';
let URL_TweetFeedMonth =externaldata(DateUTC: datetime,SourceUser: string,Type: string,Value: string,Tags: string,Tweet: string)[@'https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv']with (format='csv') | where Type has 'url' | project TIFeed= 'URL_TweetFeedMonth',IOC= Value,Reference='https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv';
//unify TIFeeds IOC List
let URL_IOCs = union Openphish,C2IntelFeeds,URL_TweetFeedMonth,BotvrijRAW,PhishuntURLs;
//âšī¸ Remove the comments of the 2 following lines to get a summary of the IOCs present on distinct TI Feeds
//URL_IOCs | summarize dcount(TIFeed),make_set(TIFeed) by IOC | order by dcount_TIFeed
//
EmailUrlInfo | where Timestamp > ago(30d) | join kind=inner (URL_IOCs) on $left.Url == $right.IOC
| join kind=inner (EmailEvents) on NetworkMessageId | extend IPSender = iff(isnotempty( SenderIPv4),SenderIPv4,SenderIPv6) | extend Time_ = format_datetime( Timestamp, 'yyyy-MM-dd')
| summarize by Time_,TIFeed,IOC,DeliveryLocation, Url,Subject,IPSender, SenderMailFromDomain,Reference
```
Explanation
This query is designed to evaluate the effectiveness of threat intelligence feeds by focusing on URL indicators of compromise (IOCs). Here's a simplified breakdown of what the query does:
-
Data Sources: The query pulls URL data from several external threat intelligence feeds:
- BotvrijRAW
- Montysecurity
- PhishuntURLs
- C2IntelFeeds
- OpenPhish
- URL_TweetFeedMonth
-
Data Processing:
- For each feed, it extracts URLs and assigns them a label (TIFeed) and a reference URL.
- It filters out any unnecessary or empty entries to ensure clean data.
-
Unification:
- The query combines all the URLs from the different feeds into a single list called
URL_IOCs.
- The query combines all the URLs from the different feeds into a single list called
-
Analysis:
- It joins this unified list with email data (
EmailUrlInfo) from the past 30 days to find matches between the URLs in the threat feeds and URLs found in emails. - It further joins with
EmailEventsto gather additional information about the emails, such as sender IP, delivery location, and subject.
- It joins this unified list with email data (
-
Output:
- The final output summarizes the data by date, showing which URLs from the threat feeds appeared in emails, along with details like the feed source, delivery location, sender information, and a reference link.
Overall, this query helps determine the usefulness of different threat intelligence feeds by identifying which URLs from these feeds are actually seen in email traffic, thus indicating potential threats.
Details
Sergio Albea
Released: January 17, 2026
Tables
EmailUrlInfoEmailEvents
Keywords
ThreatIntelligenceFeedUrlDomainsFileHashesEmailEventsNetworkMessageIdTimestampDeliveryLocationSubjectSenderMailFromDomain
Operators
letexternaldataextendsubstringindexofwhereisnotemptyorprojectwithformat!in!startswithunionjoinkindon==iffsummarizebyformat_datetime>ago