Query Details

Detect Malicious URL Answers By DNS Queries

Query

let URLHausOnlineRAW = externaldata (UHFeed:string) ["https://urlhaus.abuse.ch/downloads/csv_online/"] with(format="txt")
| where UHFeed !startswith "#"
| extend UHRAW=replace_string(UHFeed, '"', '')
| project splitted=split(UHRAW, ',')
| mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8]
| extend UHUrl = tostring(UHUrl)
| extend UHUrlDomain = tostring(parse_url(UHUrl).Host)
| project-away splitted;
DeviceNetworkEvents
| extend answers = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend answersext = todynamic(tostring(parse_json(AdditionalFields).answers))
| mv-expand answers
//| extend geo_Remote_answers = todynamic(tostring(geo_info_from_ip_address(answers).country))
| extend Type =
    case(
        answers matches regex @"^(\d{1,3}\.){3}\d{1,3}$", "IPv4",   // Matches IPv4 format
        answers matches regex @"^([a-fA-F0-9:]+)$", "IPv6",         // Matches IPv6 format
        answers contains ".", "URL",                                // Checks if it contains a dot (common in URLs)
        "Unknown"                                                      // Default case
    )
| where Type has "URL"
| extend tostring(answers)
| join kind=inner (URLHausOnlineRAW) on $left.answers == $right.UHUrl
| extend geo_Remote_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
| project Timestamp,DeviceName,LocalIP,RemoteIP,geo_Remote_ip,MaliciousAnswers = UHUrl,answersext,UHUrlDomain, ActionType

About this query

Detect Malicious URL answers by DNS queries

Description: The aim of this query is detect suspicious URL answers from DNS Queries, validating them with an external TI Feed and be alerted when there are some matches.

Explanation

This query is designed to detect potentially malicious URLs from DNS queries by comparing them against a known threat intelligence feed. Here's a simplified breakdown of what the query does:

  1. Fetch External Threat Intelligence Data:

    • The query retrieves data from an external source, URLHaus, which provides a list of known malicious URLs. This data is processed to remove any unnecessary characters and split into relevant fields such as URL, threat type, and other metadata.
  2. Process Device Network Events:

    • It examines network events from devices, specifically looking at the DNS query responses (answers) to identify any URLs.
  3. Identify URL Types:

    • The query categorizes the DNS answers to determine if they are URLs, IPv4, IPv6, or unknown types. It focuses on those identified as URLs.
  4. Match Against Threat Intelligence:

    • It performs an inner join between the DNS query results and the URLHaus data to find matches, indicating that a device has queried a known malicious URL.
  5. Output Relevant Information:

    • For any matches found, the query outputs details such as the timestamp, device name, local and remote IP addresses, the country associated with the remote IP, the malicious URL detected, and the action type.

In summary, this query is used to monitor network activity for any DNS queries that resolve to URLs known to be malicious, helping to alert security teams to potential threats in their network.

Details

Sergio Albea profile picture

Sergio Albea

Released: June 9, 2025

Tables

URLHausOnlineRAWDeviceNetworkEvents

Keywords

DeviceNetworkEventsDNSQueriesURLExternalTIFeedMaliciousAnswers

Operators

letexternaldatawhereextendreplace_stringprojectsplitmv-expandtostringparse_urlproject-awaytodynamicparse_jsoncasematchesregexcontainshasjoinon

Actions

GitHub