KQL Search

Query Details

HomeAI ToolsDevice Query

Netskope Malicious Cloud Worker Detection

Query

//This query checks DeviceNetworkEvents against known malicious Cloudflare workers from Netskope
let NetskopeCloudflareWorkers = externaldata(Url: string)[@"https://raw.githubusercontent.com/netskopeoss/NetskopeThreatLabsIOCs/main/Phishing/CloudflareWorkers/IOCs/README.md"] with (format="csv", ignoreFirstRecord=True);
let DomainList = NetskopeCloudflareWorkers
| where Url <> "```text"
| where Url <> "- **URLs**"
| where Url <> "```"
| extend domain = split(Url,'/')
| extend domain = split(domain,'.')
| extend url = strcat(domain[1],domain[2])
| extend RemoteUrl = replace_string(url,'[.]','.')
| project domain;
DeviceNetworkEvents
| where RemoteUrl in (DomainList)

Explanation

This query is designed to identify potentially malicious network activity on devices by comparing network events against a list of known malicious Cloudflare worker URLs provided by Netskope. Here's a breakdown of what the query does:

  1. Data Import: It imports a list of malicious URLs from an external CSV file hosted on GitHub by Netskope. This file contains indicators of compromise (IOCs) related to phishing activities using Cloudflare workers.

  2. Data Cleaning and Preparation:

    • It filters out unnecessary lines from the imported data that don't contain URLs.
    • It processes each URL to extract the domain part by splitting the URL string and reconstructing it to form a clean domain name.
    • It replaces any obfuscated parts of the domain (e.g., [.]) with the actual dot (.) to form a valid domain name.

  3. Comparison with Device Network Events:

    • It compares the cleaned list of malicious domains against the RemoteUrl field in the DeviceNetworkEvents table.
    • It identifies any network events where the RemoteUrl matches one of the domains in the list, indicating potential malicious activity.

In simple terms, this query checks if any network activity on devices matches known malicious URLs associated with Cloudflare workers, helping to detect potential phishing threats.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsUrlDomainRemoteUrl

Operators

externaldatawithformatignoreFirstRecordwhereextendsplitstrcatreplace_stringprojectin

Actions