Networkconnection To High Confidence Threat View Domain
Query
let DOMAINHighConfThreatView = externaldata (Domain:string) [@" https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt" ] with (format="txt", ignoreFirstRecord = false);
DeviceNetworkEvents
| where isnotempty( RemoteUrl)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, RemoteUrl)
| join kind=inner DOMAINHighConfThreatView on DomainAbout this query
Explanation
This KQL query is designed to identify potentially malicious network activity by detecting successful connections from devices to domains that are considered high-risk according to ThreatView.io. Here's a simplified breakdown of what the query does:
-
Data Source: It uses an external data source from ThreatView.io, which provides a list of domains identified as high-confidence threats.
-
Network Events: The query examines network events from devices, specifically looking for successful outbound connections to public IP addresses.
-
Domain Extraction: It extracts the domain from the URL of each network event.
-
Threat Detection: The query checks if the extracted domain matches any domain in the ThreatView high-confidence threat list. If there's a match, it indicates a potentially risky connection.
-
Extended Version: The extended version of the query goes a step further by also checking for risky sign-ins that occur after the suspicious network connection. It correlates these sign-ins with the network events to provide additional context on potential threats.
In summary, this query helps security analysts identify devices that have connected to known malicious domains and correlates these events with risky sign-in activities, providing a comprehensive view of potential security threats.
Details

Benjamin Zulliger
Released: October 7, 2025
Tables
Keywords
Operators