Query Details
Networkconnection To High Confidence Threat View Domain
Query
# *Network Connection to High-Confidence ThreatView Domain*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| TA0011 | Command and Control | https://attack.mitre.org/tactics/TA0011/ |
#### Description
This rule detects successful network connections from devices to domains identified as high-confidence threats by ThreatView.io. It specifically looks for outbound connections to public IP addresses where the remote URL's domain matches an entry in the ThreatView high-confidence feed.
#### Risk
Network Connection to High-Confidence URLs
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://threatview.io
## Defender XDR
```KQL
let DOMAINHighConfThreatView = externaldata (Domain:string) [@" https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt" ] with (format="txt", ignoreFirstRecord = false);
DeviceNetworkEvents
| where isnotempty( RemoteUrl)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, RemoteUrl)
| join kind=inner DOMAINHighConfThreatView on Domain
```
if you like you can also use the extended Version of this Query wich detects Risky Signins after the DeviceNetwork Event to the High Confidence Domain.
```KQL
let DOMAINHighConfThreatView = externaldata (Domain:string) [@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord = false);
let SuspiciousConnections = DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, RemoteUrl)
| join kind=inner DOMAINHighConfThreatView on Domain
| project SuspiciousConnections_TimeGenerated=TimeGenerated, InitiatingProcessAccountUpn, Domain, DeviceId, DeviceName;
AADSignInEventsBeta
| where isnotempty(RiskLevelDuringSignIn)
| where isnotempty(AccountUpn)
| join kind=inner (
SuspiciousConnections
) on $left.AccountUpn == $right.InitiatingProcessAccountUpn
| where TimeGenerated > SuspiciousConnections_TimeGenerated
| project Timestamp, ReportId, AccountObjectId, AccountUpn, Domain, IPAddress, Country, Application, ConditionalAccessStatus, DeviceId, DeviceName
```
Explanation
This KQL query is designed to identify potentially malicious network activity by detecting successful connections from devices to domains that are considered high-risk according to ThreatView.io. Here's a simplified breakdown of what the query does:
-
Data Source: It uses an external data source from ThreatView.io, which provides a list of domains identified as high-confidence threats.
-
Network Events: The query examines network events from devices, specifically looking for successful outbound connections to public IP addresses.
-
Domain Extraction: It extracts the domain from the URL of each network event.
-
Threat Detection: The query checks if the extracted domain matches any domain in the ThreatView high-confidence threat list. If there's a match, it indicates a potentially risky connection.
-
Extended Version: The extended version of the query goes a step further by also checking for risky sign-ins that occur after the suspicious network connection. It correlates these sign-ins with the network events to provide additional context on potential threats.
In summary, this query helps security analysts identify devices that have connected to known malicious domains and correlates these events with risky sign-in activities, providing a comprehensive view of potential security threats.
Details
Benjamin Zulliger
Released: October 7, 2025
Tables
Keywords
Operators