Query Details
Cryptocurrency Domain Detection
Query
//This query detects network connections to known cryptocurrency domains let Crypto = externaldata(type:string)[@"https://raw.githubusercontent.com/Ultimate-Hosts-Blacklist/ZeroDot1_CoinBlockerLists/master/domains.list"] with (format="csv", ignoreFirstRecord=True); let DomainList = Crypto | where type !startswith "#" | extend RemoteUrl = replace_string(replace_string(type, " ", ""),"0.0.0.0","") | project RemoteUrl; DeviceNetworkEvents | where RemoteUrl in~(DomainList) | summarize count() by RemoteUrl
Explanation
This query is designed to identify network connections to known cryptocurrency-related domains. Here's a simplified breakdown of what it does:
-
Data Import: It imports a list of cryptocurrency domains from an external source (a GitHub repository) and treats it as a CSV file, ignoring the first record which might be a header.
-
Data Cleaning: It filters out any lines in the imported data that start with a "#" (which are likely comments) and removes any spaces and the placeholder IP "0.0.0.0" from the domain entries.
-
Domain List Creation: It creates a list of cleaned domain names, referred to as
DomainList. -
Event Filtering: It checks network events (from
DeviceNetworkEvents) to see if any of the remote URLs accessed match the domains inDomainList. -
Counting Connections: It counts how many times each of these cryptocurrency domains was accessed and provides a summary of these counts, grouped by each domain (
RemoteUrl).
Details
Jay Kerai
Released: November 10, 2024
Tables
Keywords
Operators