Defender XDR Weekly OSINT Indicators Scan 19052025
Query
// https://security.microsoft.com/intel-explorer/articles/eb2f0669
// DefenderXDR Weekly OSINT Indicators Scan 19052025
let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINT19May2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2Explanation
This query is designed to scan various data sources for potential security threats using a list of known indicators of compromise (IOCs) from an external Open Source Intelligence (OSINT) file. Here's a simplified breakdown of what the query does:
-
Load OSINT Data: It imports a CSV file containing different types of threat indicators (like hashes, domains, URLs, and IP addresses) from a specified URL.
-
Categorize Indicators: The data is filtered into different categories based on the type of indicator:
- SHA256 hashes
- SHA1 hashes
- MD5 hashes
- Domains
- URLs
- IP addresses
-
Scan Email Attachments: It checks email attachments from the past 30 days to see if any of their SHA256 hashes match the known threat hashes.
-
Scan Email URLs: It examines URLs in emails from the past 30 days to see if any match the known threat domains or URLs.
-
Scan Endpoint Files: It looks at files created on endpoints in the past 30 days to see if any of their hashes (MD5, SHA1, SHA256) match the known threat hashes.
-
Scan Endpoint Network Connections: It checks network connections on endpoints from the past 30 days to see if any remote IPs or URLs match the known threat IPs or domains.
-
Combine Results: It combines the results from all these scans to provide a comprehensive view of potential threats detected across email and endpoint data.
In essence, this query helps identify potential security threats by cross-referencing recent activity against a list of known malicious indicators.
Details

Steven Lim
Released: May 22, 2025
Tables
Keywords
Operators