Query Details
Consumer VPN Domains Device Network Events
Query
let VPNIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Consumer%20VPNs.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = VPNIOCs | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl, VT_domain // After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.
Explanation
This KQL query is designed to identify network events related to known VPN domains over the past 90 days. Here's a simplified breakdown of what it does:
-
Load VPN Indicators: It pulls a list of VPN-related indicators from an external CSV file hosted on GitHub. This file contains a list of VPN domains.
-
Extract Domain List: It extracts the domain values from the loaded data for further analysis.
-
Filter Network Events: It searches through device network events to find any occurrences where the remote URL matches one of the VPN domains from the list, and only considers events from the last 90 days.
-
Generate VirusTotal Links: For each matching event, it creates a link to VirusTotal for the domain, which can be used for further investigation.
-
Summarize Results: It counts the number of occurrences for each VPN domain and provides a summary with links to VirusTotal.
-
Next Steps: The comment suggests downloading the CSV file from GitHub and uploading it to Microsoft Defender for Endpoint (MDE) to block these domains, while ensuring to exclude any domains that are used legitimately.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators