Defender XDR Weekly OSINT Indicators Scan 24022025
Query
// DefenderXDR Weekly OSINT Indicators Scan
// https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/
// https://security.microsoft.com/intel-explorer/articles/681e9886
let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights24Feb2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2Explanation
This query is designed to scan for potential security threats using weekly Open Source Intelligence (OSINT) indicators. Here's a simplified breakdown of what it does:
-
Data Source: It imports a CSV file containing OSINT indicators, which include different types of threat indicators like SHA256, SHA1, MD5 hashes, domains, URLs, and IP addresses.
-
Categorization: The imported data is categorized into different types:
OSINTSHA256: SHA256 hashesOSINTSHA1: SHA1 hashesOSINTMD5: MD5 hashesOSINTDOMAIN: DomainsOSINTURL: URLsOSINTIP: IP addresses
-
Scanning Email Attachments: It checks email attachments from the last 30 days to see if any of their SHA256 hashes match the OSINT indicators.
-
Scanning Email URLs: It examines URLs in emails from the last 30 days to see if any domains or URLs match the OSINT indicators.
-
Scanning Endpoint Files: It looks at files created on endpoints in the last 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the OSINT indicators.
-
Scanning Endpoint Network Connections:
- ConnectionSuccess: It checks successful network connections from the last 30 days to see if any remote IPs or domains match the OSINT indicators.
- HttpConnectionInspected: It inspects HTTP connections from the last 30 days to see if any HTTP hosts match the OSINT domains.
-
Combining Results: Finally, it combines the results from all these scans to provide a comprehensive view of potential threats detected based on the OSINT indicators.
Details

Steven Lim
Released: February 25, 2025
Tables
Keywords
Operators