Query Details
Custom Defender XDR KQL Detection For Fake Crowd Strike Email Domain Using Regex
Query
// Custom DefenderXDR KQL detection for fake CrowdStrike email domain using Regex
// https://www.linkedin.com/posts/activity-7222081026011885568-giCs/
// Configure as Detect & Purge:
EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection == "Inbound"
| where LatestDeliveryAction == "Delivered"
| where SenderFromDomain matches regex "^{a-z0-9\\-]{0,}cr[0oO]wdstr[i1l]ke[a-z0-9\\-]{0,}\\.[a-z]{1,}$"
| where SenderFromDomain !endswith "crowdstrike.com" and
SenderFromDomain !endswith "litmos.com" and
SenderFromDomain !endswith "zoom.us"
Explanation
This KQL (Kusto Query Language) query is designed to detect and remove suspicious inbound emails that appear to come from fake CrowdStrike domains. Here's a simple summary of what the query does:
- Source Table: It looks at the
EmailEventstable. - Time Filter: It only considers emails received in the last hour (
Timestamp > ago(1h)). - Email Direction: It filters for inbound emails (
EmailDirection == "Inbound"). - Delivery Status: It checks that the email was delivered (
LatestDeliveryAction == "Delivered"). - Domain Check: It uses a regular expression to identify suspicious sender domains that look like they could be trying to mimic CrowdStrike. The regex allows for variations in the domain name that could be used to deceive recipients (e.g., using numbers or similar-looking letters).
- Exclusions: It excludes legitimate domains by ensuring the sender's domain does not end with "crowdstrike.com", "litmos.com", or "zoom.us".
In essence, this query helps identify potentially fraudulent emails that are trying to impersonate CrowdStrike by using look-alike domains, and it is configured to both detect and remove these emails.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailEvents
Keywords
EmailEvents
Operators
//|>ago()==matches regex!endswith