KQL Search

Query Details

HomeAI ToolsDevice Query

Outbound Connection To Spydisec High Confidence Malicious IP

Query

# *Outbound Connection to Spydisec High Confidence Malicious IP*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1041| Exfiltration Over C2 Channel | https://attack.mitre.org/techniques/T1041 |


#### Description

This rule detects outbound network connections from devices to IP addresses identified as high confidence malicious by Spydisec. It specifically filters for outbound connections within the last two hours, indicating potential command and control activity or data exfiltration to known malicious infrastructure.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://spydisec.com/


## Defender XDR
```KQL
let SpydisecHCIPs = externaldata(IP: string)["https://spydisec.com/high_confidence_limited.txt"]
| where IP !startswith "#";
DeviceNetworkEvents
| where TimeGenerated >ago(2h)
| join kind=inner (SpydisecHCIPs) on $left.RemoteIP == $right.IP
//if you only like to see outbound connections activate the following filter
| extend Direction = tostring(parse_json(AdditionalFields).direction)
| where Direction != "In"
```

Explanation

This query is designed to identify potentially malicious outbound network connections from devices within the last two hours. It focuses on connections to IP addresses that have been flagged as highly suspicious by Spydisec, a cybersecurity service. Here's a breakdown of how the query works:

  1. Data Source: It retrieves a list of high-confidence malicious IP addresses from Spydisec.

  2. Time Frame: The query filters for network events that occurred in the last two hours.

  3. Matching IPs: It checks if any outbound connections from devices match the IPs listed by Spydisec.

  4. Direction Filter: The query includes a filter to ensure only outbound connections are considered, excluding inbound traffic.

The purpose of this query is to detect potential command and control activities or data exfiltration attempts to known malicious infrastructure, helping to identify and mitigate security threats.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 16, 2026

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

letexternaldata|where!startswith>agojoinkind=inneron==//extend=tostringparse_json!=

Actions