KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Weekly OSINT Indicators Scan 05052025

Query

// https://security.microsoft.com/intel-explorer/articles/cd8a2200
// DefenderXDR Weekly OSINT Indicators Scan 05052025

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINT05May2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This query is designed to scan for potential security threats using a set of known indicators of compromise (IOCs) from an external source. Here's a simplified breakdown of what the query does:

  1. Data Import: It imports a list of Open Source Intelligence (OSINT) indicators from a CSV file hosted on GitHub. These indicators include different types of data such as SHA256, SHA1, and MD5 hashes, domains, URLs, and IP addresses.

  2. Indicator Categorization: The imported data is categorized into different types:

    • OSINTSHA256: SHA256 hashes
    • OSINTSHA1: SHA1 hashes
    • OSINTMD5: MD5 hashes
    • OSINTDOMAIN: Domains
    • OSINTURL: URLs
    • OSINTIP: IP addresses

  3. Scanning Email Attachments: It checks email attachments from the past 30 days to see if any of their SHA256 hashes match the known SHA256 indicators.

  4. Scanning Email URLs: It examines URLs in emails from the past 30 days to see if any match the known domains or URLs.

  5. Scanning Endpoint Files: It looks at files created on endpoints in the past 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the known indicators.

  6. Scanning Endpoint Network Activity:

    • Connection Success: It checks successful network connections from the past 30 days to see if any remote IPs or URLs match the known IPs or domains.
    • HTTP Connections: It inspects HTTP connections from the past 30 days to see if any hostnames match the known domains.

  7. Results Union: Finally, it combines the results from all these scans into a single dataset to identify any matches with the known threat indicators.

In essence, this query is a comprehensive scan across email and endpoint data to detect potential threats based on known malicious indicators.

Details

Steven Lim profile picture

Steven Lim

Released: May 22, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

WeeklyOSINTIndicatorsEmailAttachmentInfoEmailURLInfoDeviceFileEventsDeviceNetworkEvents

Operators

letexternaldatawhereprojectagohas_anyextendtodynamicunion

Actions