KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Weekly OSINT Indicators Scan 19052025

Query

// https://security.microsoft.com/intel-explorer/articles/eb2f0669
// DefenderXDR Weekly OSINT Indicators Scan 19052025

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINT19May2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This query is designed to scan various data sources for potential security threats using a list of known indicators of compromise (IOCs) from an external Open Source Intelligence (OSINT) file. Here's a simplified breakdown of what the query does:

  1. Load OSINT Data: It imports a CSV file containing different types of threat indicators (like hashes, domains, URLs, and IP addresses) from a specified URL.

  2. Categorize Indicators: The data is filtered into different categories based on the type of indicator:

    • SHA256 hashes
    • SHA1 hashes
    • MD5 hashes
    • Domains
    • URLs
    • IP addresses

  3. Scan Email Attachments: It checks email attachments from the past 30 days to see if any of their SHA256 hashes match the known threat hashes.

  4. Scan Email URLs: It examines URLs in emails from the past 30 days to see if any match the known threat domains or URLs.

  5. Scan Endpoint Files: It looks at files created on endpoints in the past 30 days to see if any of their hashes (MD5, SHA1, SHA256) match the known threat hashes.

  6. Scan Endpoint Network Connections: It checks network connections on endpoints from the past 30 days to see if any remote IPs or URLs match the known threat IPs or domains.

  7. Combine Results: It combines the results from all these scans to provide a comprehensive view of potential threats detected across email and endpoint data.

In essence, this query helps identify potential security threats by cross-referencing recent activity against a list of known malicious indicators.

Details

Steven Lim profile picture

Steven Lim

Released: May 22, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

WeeklyOSINTIndicatorsScanEmailAttachmentsURLsEndpointFilesNetworkDeviceEvents

Operators

letexternaldatawhereprojecthas_anyextendtodynamicunion

Actions