KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Weekly OSINT Indicators Scan 10032025

Query

// DefenderXDR Weekly OSINT Indicators Scan 10032025

// https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights10Mar2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This query is designed to scan and detect potential security threats using Open Source Intelligence (OSINT) indicators over the past 30 days. Here's a simplified breakdown of what it does:

  1. Data Source: It pulls in a list of OSINT indicators from an external CSV file. These indicators include different types of data such as SHA256, SHA1, and MD5 hashes, domain names, URLs, and IP addresses.

  2. Separate Lists: It organizes these indicators into separate lists based on their type (e.g., SHA256 hashes, domains, URLs, etc.).

  3. Email Attachments Scan: It checks email attachments from the last 30 days to see if any of their SHA256 hashes match the OSINT indicators.

  4. Email URLs Scan: It examines URLs in emails from the last 30 days to see if any match the domains or URLs in the OSINT indicators.

  5. Endpoint Files Scan: It looks at files created on devices in the last 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the OSINT indicators.

  6. Network Connections Scan: It checks network connections on devices from the last 30 days for any matches with the OSINT IP addresses or domains.

  7. HTTP Connections Scan: It inspects HTTP connections on devices to see if any host names match the OSINT domains.

Finally, it combines the results from all these scans into a single output to identify any potential threats based on the OSINT indicators.

Details

Steven Lim profile picture

Steven Lim

Released: March 12, 2025

Tables

EmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

DefenderXDROSINTIndicatorsEmailAttachmentURLDomainIPDeviceFileNetworkConnectionHttpHost

Operators

letexternaldatah'https://'|where==project>agohas_anyextendtodynamicunion

Actions