Defender XDR Weekly OSINT Indicators Scan 05052025
Query
// https://security.microsoft.com/intel-explorer/articles/cd8a2200
// DefenderXDR Weekly OSINT Indicators Scan 05052025
let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINT05May2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2Explanation
This query is designed to scan for potential security threats using a set of known indicators of compromise (IOCs) from an external source. Here's a simplified breakdown of what the query does:
-
Data Import: It imports a list of Open Source Intelligence (OSINT) indicators from a CSV file hosted on GitHub. These indicators include different types of data such as SHA256, SHA1, and MD5 hashes, domains, URLs, and IP addresses.
-
Indicator Categorization: The imported data is categorized into different types:
OSINTSHA256: SHA256 hashesOSINTSHA1: SHA1 hashesOSINTMD5: MD5 hashesOSINTDOMAIN: DomainsOSINTURL: URLsOSINTIP: IP addresses
-
Scanning Email Attachments: It checks email attachments from the past 30 days to see if any of their SHA256 hashes match the known SHA256 indicators.
-
Scanning Email URLs: It examines URLs in emails from the past 30 days to see if any match the known domains or URLs.
-
Scanning Endpoint Files: It looks at files created on endpoints in the past 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the known indicators.
-
Scanning Endpoint Network Activity:
- Connection Success: It checks successful network connections from the past 30 days to see if any remote IPs or URLs match the known IPs or domains.
- HTTP Connections: It inspects HTTP connections from the past 30 days to see if any hostnames match the known domains.
-
Results Union: Finally, it combines the results from all these scans into a single dataset to identify any matches with the known threat indicators.
In essence, this query is a comprehensive scan across email and endpoint data to detect potential threats based on known malicious indicators.
Details

Steven Lim
Released: May 22, 2025
Tables
Keywords
Operators