Email TI Url Listed On Threatfox In Email Url Info
Query
//This Query detects Url listed on abuse.ch Threatfox Feed in EmailUrlInfo
let TwitterFeed_today = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv"];
let TwitterFeed_week = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"];
let TwitterFeed_month = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"];
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| join (TwitterFeed_today
| where Art == "url"
) on $left.Url == $right.Value
| join (TwitterFeed_week
| where Art == "url"
) on $left.Url == $right.Value
| join (TwitterFeed_month
| where Art == "url"
) on $left.Url == $right.ValueExplanation
This query is designed to detect URLs in email data that are listed in a threat intelligence feed. Here's a simplified breakdown:
-
Data Sources: The query pulls in three external data sources representing URLs flagged as threats on different time scales:
TwitterFeed_today: URLs flagged today.TwitterFeed_week: URLs flagged this week.TwitterFeed_month: URLs flagged this month.
-
Email Data: It uses data from
EmailUrlInfoandEmailEvents, which contain information about URLs found in emails and related email events. -
Joining Data: The query performs a series of joins:
- It first joins
EmailUrlInfowithEmailEventsusing a common identifier (NetworkMessageId). - Then, it checks if any URLs from the emails match URLs listed in the daily, weekly, and monthly threat feeds. This is done by joining on the URL field (
Urlin the email data andValuein the threat feeds) and filtering for entries where the type (Art) is "url".
- It first joins
-
Purpose: The goal is to identify any URLs in emails that are also present in the threat feeds, indicating potential security threats or malicious activity.
Details

User Submission
Released: November 10, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEventsNetworkMessageIdTwitterFeed
Operators
letexternaldataon|joinwhere==$left$right