KQL Search

Query Details

HomeAI ToolsDevice Query

Cock Li Abused Email Provider

Query

let CockLiMailAddresses = externaldata (cocklimail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/cockli-abused-Email-domains.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where SenderFromDomain has_any (CockLiMailAddresses) or RecipientEmailAddress has_any(CockLiMailAddresses) 
// Visit https://github.com/jkerai1/TLD-TABL-Block for Block Script

Explanation

This KQL query is designed to identify email events involving specific domains that are known for being abused. Here's a simple breakdown of what the query does:

  1. Data Import: It imports a list of email domains from an external CSV file hosted on GitHub. This list is stored in a variable called CockLiMailAddresses.

  2. Filtering Email Events: It then examines email events to find any instances where the sender's domain or the recipient's email address matches any of the domains in the CockLiMailAddresses list.

  3. Purpose: The goal is to detect and potentially block email communications involving these suspicious or abused domains.

The comment at the end provides a link to a GitHub repository where a script for blocking these domains can be found.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

EmailEvents

Keywords

EmailEvents

Operators

letexternaldatawithformatignoreFirstRecord|wherehas_anyor

Actions