Query Details
Defender XDR Weekly OSINT Indicators Scan 12052025
Query
// https://security.microsoft.com/intel-explorer/articles/bc23c9d3 // DefenderXDR Weekly OSINT Indicators Scan 12052025 let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINT12May2025.csv']; let OSINTSHA256 = WeeklyOSINT | where Type == "hash_sha256" | project Value; let OSINTSHA1 = WeeklyOSINT | where Type == "hash_sha1" | project Value; let OSINTMD5 = WeeklyOSINT | where Type == "hash_md5" | project Value; let OSINTDOMAIN = WeeklyOSINT | where Type == "domain" | project Value; let OSINTURL = WeeklyOSINT | where Type == "url" | project Value; let OSINTIP = WeeklyOSINT | where Type == "ip" | project Value; let ScanEmailAttachments = EmailAttachmentInfo | where Timestamp > ago(30d) | where SHA256 has_any(OSINTSHA256); let ScanEmailURLs = EmailUrlInfo | where Timestamp > ago(30d) | where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL); let ScanEndpointFiles = DeviceFileEvents | where Timestamp > ago(30d) | where ActionType == "FileCreated" | where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256); let ScanEndpointNetwork1 = DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == "ConnectionSuccess" | where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN); let ScanEndpointNetwork2 = DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == "HttpConnectionInspected" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost has_any(OSINTDOMAIN); union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2
Explanation
This query is designed to scan and detect potential security threats by comparing recent data against a set of known indicators of compromise (IOCs) from an external source. Here's a breakdown of what it does:
-
Load External Data: It imports a CSV file containing weekly Open Source Intelligence (OSINT) indicators, which include various types of threat indicators like hashes, domains, URLs, and IP addresses.
-
Filter and Categorize Indicators:
- It separates the indicators into different categories based on their type: SHA256 hashes, SHA1 hashes, MD5 hashes, domains, URLs, and IP addresses.
-
Scan Recent Data:
- Email Attachments: It checks email attachments from the last 30 days to see if any have a SHA256 hash that matches the known threat indicators.
- Email URLs: It examines URLs in emails from the last 30 days to find matches with known malicious domains or URLs.
- Endpoint Files: It looks at files created on devices in the last 30 days, checking their MD5, SHA1, or SHA256 hashes against the threat indicators.
- Network Connections: It inspects network events from the last 30 days to identify successful connections to known malicious IPs or domains.
- HTTP Connections: It further inspects HTTP connections to see if the host matches any known malicious domains.
-
Combine Results: Finally, it combines the results from all these scans to provide a comprehensive view of potential threats detected across email and endpoint activities.
Details
Steven Lim
Released: May 22, 2025
Tables
WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents
Keywords
WeeklyOSINTIndicatorsEmailAttachmentInfoEmailURLInfoDeviceFileEventsDeviceNetworkEvents
Operators
letexternaldatawhereprojectagohas_anyextendtodynamicunion