Defender XDR Weekly OSINT Indicators Scan 10032025
Query
// DefenderXDR Weekly OSINT Indicators Scan 10032025
// https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/
let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights10Mar2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2Explanation
This query is designed to scan and detect potential security threats using Open Source Intelligence (OSINT) indicators over the past 30 days. Here's a simplified breakdown of what it does:
-
Data Source: It pulls in a list of OSINT indicators from an external CSV file. These indicators include different types of data such as SHA256, SHA1, and MD5 hashes, domain names, URLs, and IP addresses.
-
Separate Lists: It organizes these indicators into separate lists based on their type (e.g., SHA256 hashes, domains, URLs, etc.).
-
Email Attachments Scan: It checks email attachments from the last 30 days to see if any of their SHA256 hashes match the OSINT indicators.
-
Email URLs Scan: It examines URLs in emails from the last 30 days to see if any match the domains or URLs in the OSINT indicators.
-
Endpoint Files Scan: It looks at files created on devices in the last 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the OSINT indicators.
-
Network Connections Scan: It checks network connections on devices from the last 30 days for any matches with the OSINT IP addresses or domains.
-
HTTP Connections Scan: It inspects HTTP connections on devices to see if any host names match the OSINT domains.
Finally, it combines the results from all these scans into a single output to identify any potential threats based on the OSINT indicators.
Details

Steven Lim
Released: March 12, 2025
Tables
Keywords
Operators