KQL Search

Query Details

HomeAI ToolsDevice Query

Anonymous Email Sending Domains MDE Traffic

Query

let AnonymousEmailSendingIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/AnonymousEmailSendingDomains.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = AnonymousEmailSendingIOCs 
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.
//Ensure any whistleblowing policy is not violated

Explanation

This KQL query is designed to identify network events related to potentially suspicious email-sending domains. Here's a simple breakdown of what the query does:

  1. Load External Data: It imports a list of potentially suspicious domains from a CSV file hosted on GitHub. These domains are associated with anonymous email sending.

  2. Extract Domain List: It extracts the domain names from the imported data for further analysis.

  3. Filter Network Events: It searches through device network events from the past 90 days to find any events where the remote URL matches one of the suspicious domains.

  4. Create VirusTotal Links: For each matching event, it creates a link to the VirusTotal website for the domain, which can be used for further investigation.

  5. Summarize Results: It counts the number of events for each suspicious domain and provides a summary with links to VirusTotal.

  6. Post-Analysis Recommendations: After analyzing the results, it suggests downloading the CSV file and considering uploading it to Microsoft Defender for Endpoint (MDE) to block these domains. It also advises removing any domains that are used legitimately and ensuring compliance with any whistleblowing policies.

Details

Jay Kerai profile picture

Jay Kerai

Released: January 31, 2025

Tables

DeviceNetworkEvents

Keywords

AnonymousEmailSendingIOCsIndicatorValueDeviceNetworkEventsRemoteUrlVT_domain

Operators

letexternaldatawithprojectin~extendiffisnotemptystrcatsummarizeby

Actions