Defender XDR Weekly OSINT Indicators Scan

// DefenderXDR Weekly OSINT Indicators Scan // https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/ let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights17Feb2025.csv']; let OSINTSHA256 = WeeklyOSINT | where Type == "hash_sha256" | project Value; let OSINTSHA1 = WeeklyOSINT | where Type == "hash_sha1" | project Value; let OSINTMD5 = WeeklyOSINT | where Type == "hash_md5" | project Value; let OSINTDOMAIN = WeeklyOSINT | where Type == "domain" | project Value; let OSINTURL = WeeklyOSINT | where Type == "url" | project Value; let OSINTIP = WeeklyOSINT | where Type == "ip" | project Value; let ScanEmailAttachments = EmailAttachmentInfo | where Timestamp > ago(30d) | where SHA256 has_any(OSINTSHA256); let ScanEmailURLs = EmailUrlInfo | where Timestamp > ago(30d) | where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL); let ScanEndpointFiles = DeviceFileEvents | where Timestamp > ago(30d) | where ActionType == "FileCreated" | where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256); let ScanEndpointNetwork1 = DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == "ConnectionSuccess" | where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN); let ScanEndpointNetwork2 = DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == "HttpConnectionInspected" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost has_any(OSINTDOMAIN); union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This query is designed to scan and detect potential security threats by comparing recent data from various sources against a list of known indicators of compromise (IOCs) gathered from open-source intelligence (OSINT). Here's a simplified breakdown of what the query does:

Data Import: It imports a list of IOCs from an external CSV file. These IOCs include different types of data such as SHA256, SHA1, MD5 hashes, domains, URLs, and IP addresses.
Categorization: The imported data is categorized based on its type:
- SHA256 hashes
- SHA1 hashes
- MD5 hashes
- Domains
- URLs
- IP addresses
Scanning Email Attachments: It checks email attachments from the past 30 days to see if any of their SHA256 hashes match the known IOCs.
Scanning Email URLs: It examines URLs in emails from the past 30 days to identify any that match known malicious domains or URLs.
Scanning Endpoint Files: It looks at files created on endpoints in the past 30 days, checking their MD5, SHA1, or SHA256 hashes against the IOCs.
Scanning Network Connections:
- It inspects successful network connections on devices from the past 30 days to see if any remote IPs or URLs match the IOCs.
- It also checks HTTP connections for any hostnames that match the known malicious domains.
Combining Results: Finally, it combines the results from all these scans to provide a comprehensive view of potential threats detected across email attachments, email URLs, endpoint files, and network connections.

In essence, this query helps identify and flag potentially malicious activities by comparing recent data against a curated list of known threats.

Details

Steven Lim

Released: February 19, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

DefenderXDROSINTEmailDeviceNetwork

Operators

letexternaldatah'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights17Feb2025.csv'|where==project>agohas_anyorextendtodynamicunion

KQL Search