Detect Malicious URL Answers By DNS Queries

**Detect Malicious URL answers by DNS queries** **Description:** The aim of this query is detect suspicious URL answers from DNS Queries, validating them with an external TI Feed and be alerted when there are some matches. ```let URLHausOnlineRAW = externaldata (UHFeed:string) ["https://urlhaus.abuse.ch/downloads/csv_online/"] with(format="txt") | where UHFeed !startswith "#" | extend UHRAW=replace_string(UHFeed, '"', '') | project splitted=split(UHRAW, ',') | mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8] | extend UHUrl = tostring(UHUrl) | extend UHUrlDomain = tostring(parse_url(UHUrl).Host) | project-away splitted; DeviceNetworkEvents | extend answers = todynamic(tostring(parse_json(AdditionalFields).answers)) | extend answersext = todynamic(tostring(parse_json(AdditionalFields).answers)) | mv-expand answers //| extend geo_Remote_answers = todynamic(tostring(geo_info_from_ip_address(answers).country)) | extend Type = case( answers matches regex @"^(\d{1,3}\.){3}\d{1,3}$", "IPv4", // Matches IPv4 format answers matches regex @"^([a-fA-F0-9:]+)$", "IPv6", // Matches IPv6 format answers contains ".", "URL", // Checks if it contains a dot (common in URLs) "Unknown" // Default case ) | where Type has "URL" | extend tostring(answers) | join kind=inner (URLHausOnlineRAW) on $left.answers == $right.UHUrl | extend geo_Remote_ip = tostring(geo_info_from_ip_address(RemoteIP).country) | project Timestamp,DeviceName,LocalIP,RemoteIP,geo_Remote_ip,MaliciousAnswers = UHUrl,answersext,UHUrlDomain, ActionType ```

Explanation

This query is designed to detect potentially malicious URLs that are returned in DNS query responses. Here's a simplified breakdown of what the query does:

Fetch External Threat Intelligence Feed: It retrieves a list of known malicious URLs from an external source, URLHaus, which provides a CSV file of active threats.
Process the Threat Intelligence Data: The data from the feed is cleaned and split into relevant fields, such as the URL, date added, threat type, and other metadata.
Analyze Device Network Events: It examines network events on devices, specifically looking at DNS query responses to identify any URLs that are returned.
Identify URL Responses: The query filters the DNS responses to find those that are URLs (as opposed to IP addresses).
Match Against Threat Intelligence: It checks if any of the URLs found in the DNS responses match the known malicious URLs from the URLHaus feed.
Output Results: If there are matches, it outputs details such as the timestamp, device name, local and remote IP addresses, the country of the remote IP, the malicious URL detected, and the domain of the URL.

In summary, this query helps in identifying and alerting on DNS queries that return URLs known to be malicious, using an external threat intelligence feed for validation.

Details

Sergio Albea

Released: March 14, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsURLDNSQueriesExternalTIFeedTimestampDeviceNameLocalIPRemoteIPMaliciousAnswersActionType

Operators

letexternaldatawithwhere!startswithextendreplace_stringprojectsplitmv-expandtostringparse_urlproject-awaytodynamicparse_jsoncasematches regexcontainshasjoinonproject

KQL Search