Query Details
Cloud Worker Abuse Detection
Query
//This query detects network connections to known malicious Cloudflare workers let NetskopeCloudflareWorkers = externaldata(Url: string)[@"https://raw.githubusercontent.com/netskopeoss/NetskopeThreatLabsIOCs/main/Phishing/CloudflareWorkers/IOCs/README.md"] with (format="csv", ignoreFirstRecord=True); let CloudFlareWorkers = NetskopeCloudflareWorkers | where Url <> "```text" //ParseOutJunk | where Url <> "- **URLs**" | where Url <> "```" | extend domain = split(Url,'/') | extend RemoteUrl = replace_string(strcat(domain[1],domain[2]),'[.]','.') | distinct RemoteUrl; DeviceNetworkEvents | where RemoteUrl in (CloudFlareWorkers) //example, use as you please
Explanation
This query is designed to identify network connections to potentially harmful Cloudflare workers. Here's a simplified breakdown of what it does:
-
Data Import: It imports a list of URLs from an external source, specifically a GitHub repository that contains known malicious Cloudflare worker URLs. The data is formatted as CSV, and the first record (likely a header) is ignored.
-
Data Cleaning: It filters out unnecessary lines from the imported data that don't represent URLs. This includes lines that are part of the markdown formatting in the source file.
-
URL Processing: It processes the remaining URLs to extract the domain part, replacing any placeholders (like
[.]) with actual dots to form valid domain names. It then ensures that each domain is unique. -
Event Matching: It checks network events recorded in
DeviceNetworkEventsto see if any of the remote URLs match the list of known malicious Cloudflare worker URLs.
In essence, this query helps in detecting if there are any network activities on your devices that are connecting to known malicious Cloudflare workers, which could indicate a security threat.
Details
Jay Kerai
Released: November 10, 2024
Tables
Keywords
Operators