KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Weekly OSINT Indicators Scan 24022025

Query

// DefenderXDR Weekly OSINT Indicators Scan

// https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/
// https://security.microsoft.com/intel-explorer/articles/681e9886

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights24Feb2025.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This query is designed to scan for potential security threats using weekly Open Source Intelligence (OSINT) indicators. Here's a simplified breakdown of what it does:

  1. Data Source: It imports a CSV file containing OSINT indicators, which include different types of threat indicators like SHA256, SHA1, MD5 hashes, domains, URLs, and IP addresses.

  2. Categorization: The imported data is categorized into different types:

    • OSINTSHA256: SHA256 hashes
    • OSINTSHA1: SHA1 hashes
    • OSINTMD5: MD5 hashes
    • OSINTDOMAIN: Domains
    • OSINTURL: URLs
    • OSINTIP: IP addresses

  3. Scanning Email Attachments: It checks email attachments from the last 30 days to see if any of their SHA256 hashes match the OSINT indicators.

  4. Scanning Email URLs: It examines URLs in emails from the last 30 days to see if any domains or URLs match the OSINT indicators.

  5. Scanning Endpoint Files: It looks at files created on endpoints in the last 30 days to see if any of their MD5, SHA1, or SHA256 hashes match the OSINT indicators.

  6. Scanning Endpoint Network Connections:

    • ConnectionSuccess: It checks successful network connections from the last 30 days to see if any remote IPs or domains match the OSINT indicators.
    • HttpConnectionInspected: It inspects HTTP connections from the last 30 days to see if any HTTP hosts match the OSINT domains.

  7. Combining Results: Finally, it combines the results from all these scans to provide a comprehensive view of potential threats detected based on the OSINT indicators.

Details

Steven Lim profile picture

Steven Lim

Released: February 25, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

DefenderXDROSINTEmailAttachmentURLDomainDeviceFileEventNetworkEventIPSHA256SHA1MD5

Operators

letexternaldatawhereprojectagohas_anyextendtodynamicunion

Actions