KQL Search

Query Details

HomeAI ToolsDevice Query

Browser Domains Device Network Events

Query

let BrowserDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Browser%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = BrowserDomains
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.

Explanation

This query is designed to identify network events involving specific browser domains that are considered indicators of compromise (IOCs). Here's a breakdown of what the query does:

  1. Load External Data: It retrieves a list of potentially malicious domains from an external CSV file hosted on GitHub. This file contains two columns: type and IndicatorValue, but only IndicatorValue is used.

  2. Create Domain List: It extracts the IndicatorValue column from the CSV file to create a list of domains to monitor.

  3. Filter Network Events: It searches through DeviceNetworkEvents to find events from the last 90 days where the RemoteUrl (the domain accessed) matches any domain in the list from the CSV file.

  4. Add VirusTotal Links: For each matching event, it creates a link to the VirusTotal website for further investigation of the domain.

  5. Summarize Results: It counts the number of events for each domain and provides a summary that includes the domain and its corresponding VirusTotal link.

  6. Post-Analysis Action: The comment suggests downloading the CSV file after analysis, uploading it to Microsoft Defender for Endpoint (MDE) to block the identified domains, and removing any domains that are found to be legitimate.

In simple terms, this query helps identify and analyze network traffic to potentially harmful domains, providing a way to further investigate and block these domains if necessary.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

DeviceNetworkEvents

Keywords

BrowserDomainsIndicatorValueDeviceNetworkEventsTimeGeneratedRemoteUrlVTDomain

Operators

letexternaldatawithformatignoreFirstRecordprojectwherein~extendiffisnotemptystrcatsummarizeby

Actions