KQL Search

Query Details

HomeAI ToolsDevice Query

Anti Sleep Domains MDE Device Network Events

Query

let AntisleepIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/AntiSleep.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = AntisleepIOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountUpn

Explanation

This query is designed to detect potentially malicious network activity related to specific domains over the past 90 days. Here's a simplified breakdown of what it does:

  1. Load External Data: It imports a list of indicators of compromise (IOCs) from an external CSV file hosted on GitHub. This file contains domains associated with "AntiSleep" activities, which are likely related to suspicious or malicious behavior.

  2. Extract Domain List: It extracts the domain names (IndicatorValue) from the imported data to create a list of domains of interest.

  3. Filter Network Events: It examines device network events that have occurred in the last 90 days and checks if any of these events involve connections to the domains in the extracted list.

  4. Add VirusTotal Links: For each network event involving a suspicious domain, it creates a link to VirusTotal, a service that provides information about the domain's reputation. This link is constructed only if the domain is not empty.

  5. Summarize Results: Finally, it summarizes the data by counting the number of occurrences for each domain, along with the associated initiating process file name and the user account that initiated the process. This helps in identifying which processes and users are interacting with these suspicious domains.

In essence, this query helps in identifying and summarizing potentially harmful network activities by cross-referencing with known suspicious domains.

Details

Jay Kerai profile picture

Jay Kerai

Released: April 11, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

letexternaldatawithformatignoreFirstRecordprojectwherein~extendiffisnotemptystrcatsummarizeby

Actions