KQL Search

Query Details

HomeAI ToolsDevice Query

Device Network Events Blocklist Project Hits

Query

//This query checks network traffic against multiple blocklists from the Blocklist Project
//Includes checks for porn, piracy, torrent, phishing, malware, and ransomware domains
let PornBlockListProj = externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/porn.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
let PiracyBlockListProj= externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/piracy.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
let TorrentBlockListProj = externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/torrent.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
let PhishingBlockListProj = externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
let MalwareBlockListProj = externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/malware.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
let RansomBlockListProj = externaldata(type: string)[@"https://raw.githubusercontent.com/blocklistproject/Lists/master/ransomware.txt"] with (format="csv", ignoreFirstRecord=False)
| where type !startswith "#"
| extend RemoteUrl = replace_string(replace_string(type,"0.0.0.0", "")," ","")
| project RemoteUrl;
DeviceNetworkEvents
| where RemoteUrl in~(PornBlockListProj) or RemoteUrl in~(TorrentBlockListProj) or RemoteUrl in~(PiracyBlockListProj) or RemoteUrl in~(PhishingBlockListProj) or RemoteUrl in~(MalwareBlockListProj) or RemoteUrl in~(RansomBlockListProj)
| summarize count() by RemoteUrl

Explanation

This query is designed to analyze network traffic by comparing it against several blocklists provided by the Blocklist Project. It specifically checks for domains related to porn, piracy, torrenting, phishing, malware, and ransomware. Here's a simplified breakdown of what the query does:

  1. Load Blocklists: It retrieves blocklists from the Blocklist Project for different categories (porn, piracy, torrent, phishing, malware, and ransomware) and processes them to extract domain names.

  2. Filter Network Events: It examines network events (from DeviceNetworkEvents) to identify any traffic directed towards the domains listed in these blocklists.

  3. Count Matches: It counts the number of times each blocked domain appears in the network traffic and summarizes the results by domain.

In essence, this query helps identify and quantify network traffic to potentially harmful or unwanted domains based on predefined blocklists.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

DeviceNetworkEvents

Keywords

NetworkTrafficBlocklistsDomains

Operators

letexternaldatawithformatwhere!startswithextendreplace_stringprojectin~orsummarizecountby

Actions