KQL Search

Query Details

HomeAI ToolsDevice Query

Crowdstrike Impersonation During Global Outage

Query

//Admins will never forget this one
let CrowdstrikeIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/main/Bulk-IOC-CSVs/Crowdstrike%20MDE%20IOC%20-%20Impersonation%20of%20crowdstrike%20over%20global%20outages.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = CrowdstrikeIOCs
| project IndicatorValue;
let emailurl = EmailUrlInfo
| where UrlDomain in~(DomainList)
| join EmailEvents on NetworkMessageId;
let emailevent = EmailEvents
| where SenderFromDomain in~(DomainList);
DeviceNetworkEvents
| where RemoteUrl in~(DomainList )
| union emailurl, emailevent
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)

Explanation

This query is designed to identify potential security threats by cross-referencing domain indicators of compromise (IOCs) from an external CSV file with email and network event data. Here's a simplified breakdown:

  1. Load External Data: The query starts by loading a list of IOCs from a CSV file hosted on GitHub. This file contains domains associated with impersonation threats related to Crowdstrike.

  2. Extract Domain List: It extracts the domain names (IndicatorValue) from the loaded data for further analysis.

  3. Email URL Analysis: It checks if any URLs found in email data (EmailUrlInfo) match the domains from the IOC list. If a match is found, it joins this data with email event data (EmailEvents) based on a common identifier (NetworkMessageId).

  4. Email Sender Analysis: Separately, it checks if any email senders' domains (SenderFromDomain) match the IOC domains.

  5. Network Event Analysis: It examines network events (DeviceNetworkEvents) to see if any remote URLs match the IOC domains.

  6. Combine Results: The query combines results from the email URL analysis, email sender analysis, and network event analysis.

  7. VirusTotal Link: For any matching network event, it creates a link to VirusTotal for further investigation of the domain.

In essence, this query is used to detect and investigate potential security incidents involving domains known to be associated with impersonation threats.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 4, 2025

Tables

CrowdstrikeIOCsEmailUrlInfoEmailEventsDeviceNetworkEvents

Keywords

CrowdstrikeIOCsIndicatorValueDomainListEmailUrlInfoUrlDomainEmailEventsNetworkMessageIdSenderFromDomainDeviceNetworkEventsRemoteUrlVTDomain

Operators

letexternaldatawithprojectwherein~joinonunionextendiffisnotemptystrcat

Actions