Query Details
Email TI Url Listed On Threatfox In Email Url Info
Query
//This Query detects Url listed on abuse.ch Threatfox Feed in EmailUrlInfo let TwitterFeed_today = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv"]; let TwitterFeed_week = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]; let TwitterFeed_month = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]; EmailUrlInfo | join EmailEvents on NetworkMessageId | join (TwitterFeed_today | where Art == "url" ) on $left.Url == $right.Value | join (TwitterFeed_week | where Art == "url" ) on $left.Url == $right.Value | join (TwitterFeed_month | where Art == "url" ) on $left.Url == $right.Value
Explanation
This query is designed to identify URLs in email data that are listed as threats on a specific threat intelligence feed. Here's a simplified breakdown:
-
Data Sources: The query pulls data from three external CSV files representing Twitter feeds for today, this week, and this month. Each file contains information about potential threats, including URLs.
-
Email Data: It uses a dataset called
EmailUrlInfothat contains URLs extracted from emails, and it joins this with another dataset calledEmailEventsbased on a common identifier (NetworkMessageId). -
Threat Detection: The query checks if any URLs found in the emails match URLs listed as threats in the Twitter feeds. It does this by:
- Filtering each Twitter feed to only include entries where the type (
Art) is "url". - Joining the filtered Twitter feed data with the email data based on matching URLs.
- Filtering each Twitter feed to only include entries where the type (
-
Result: The output will be a list of URLs from emails that have been identified as threats according to the Twitter feeds for today, this week, and this month.
Details
User Submission
Released: November 10, 2024
Tables
Keywords
Operators