KQL Search

Query Details

HomeAI ToolsDevice Query

One Click ANY RUN Storm 1747 KQL Scan

Query

// One-Click ANY RUN Storm-1747 KQL Scan

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/Storm-1747.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This KQL query is designed to scan and detect potential security threats by comparing recent data from various sources against known indicators of compromise (IOCs) from an external Open Source Intelligence (OSINT) CSV file. Here's a simplified breakdown of what the query does:

  1. Load External Data: It imports a CSV file containing different types of threat indicators (hashes, domains, URLs, and IPs) from a specified URL.

  2. Filter and Organize IOCs: It categorizes the imported data into separate lists based on the type of indicator:

    • SHA256 hashes
    • SHA1 hashes
    • MD5 hashes
    • Domains
    • URLs
    • IP addresses

  3. Scan Email Attachments: It checks email attachments from the last 30 days to see if their SHA256 hashes match any from the SHA256 list.

  4. Scan Email URLs: It examines URLs in emails from the last 30 days to see if their domains or URLs match any from the domain or URL lists.

  5. Scan Endpoint Files: It inspects files created on endpoints in the last 30 days to see if their MD5, SHA1, or SHA256 hashes match any from the respective lists.

  6. Scan Endpoint Network Connections: It looks at network connections on endpoints from the last 30 days to see if the remote IPs or URLs match any from the IP or domain lists.

  7. Scan HTTP Connections: It inspects HTTP connections on endpoints from the last 30 days to see if the host in the HTTP request matches any from the domain list.

  8. Combine Results: Finally, it combines the results from all these scans into a single dataset for further analysis.

In summary, this query is a comprehensive scan for potential threats by cross-referencing recent activity logs with known threat indicators.

Details

Steven Lim profile picture

Steven Lim

Released: May 29, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

WeeklyosintOsintsha256Osintsha1Osintmd5OsintdomainOsinturlOsintipEmailattachmentinfoEmailurlinfoDevicefileeventsDevicenetworkeventsTimestampSha256Sha1Md5DomainUrlIpActiontypeRemoteipRemoteurlConnectinfoHttphost

Operators

letexternaldatah'https://'where==project>agohas_anyorextendtodynamicunion

Actions