Query Details
Gaming Domains Device Network Events
Query
let GamingDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Gaming.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = GamingDomains | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl, VT_domain
Explanation
This KQL (Kusto Query Language) query is designed to analyze network events related to gaming domains over the past 90 days. Here's a simplified breakdown of what it does:
-
Load Gaming Domains: It retrieves a list of gaming-related domain names from an external CSV file hosted on GitHub. The CSV file is read with the first record ignored (likely because it contains headers).
-
Extract Domain List: It extracts the domain names from the loaded data into a list called
DomainList. -
Filter Network Events: It looks at network events from the
DeviceNetworkEventstable that have occurred in the last 90 days. -
Match with Gaming Domains: It filters these events to only include those where the
RemoteUrl(the URL accessed by a device) matches any domain in theDomainList. -
Create VirusTotal Links: For each matching event, it creates a link to the VirusTotal website for the domain, which can be used to check the domain's reputation or any associated security information.
-
Summarize Results: Finally, it summarizes the data by counting the number of events for each domain and includes the VirusTotal link for reference.
In essence, this query helps identify how often devices in the network have accessed gaming-related domains recently and provides a way to further investigate these domains using VirusTotal.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators