Query Details
Part 1 Custom Defender XDR KQL Detection For Fake Crowd Strike Email Domain
Query
// Part 1: Custom DefenderXDR KQL detection for fake CrowdStrike email domain // https://www.linkedin.com/posts/activity-7220616094514917377-a-lR/ // Configure as Detect & Purge: EmailEvents | where Timestamp > ago(1h) | where EmailDirection == "Inbound" | where LatestDeliveryAction == "Delivered" | where SenderFromDomain contains "crowdstrike" | where SenderFromDomain !endswith "crowdstrike.com" and SenderFromDomain !endswith "litmos.com" and SenderFromDomain !endswith "zoom.us"
Explanation
This query is designed to detect and potentially remove suspicious inbound emails that appear to come from domains similar to "crowdstrike.com" but are not legitimate. Here's a breakdown of what it does:
- Time Filter: It looks at emails received in the last hour.
- Direction Filter: It only considers inbound emails.
- Delivery Status: It focuses on emails that were successfully delivered.
- Domain Check: It checks if the sender's domain contains the word "crowdstrike".
- Legitimacy Check: It excludes emails from legitimate domains such as "crowdstrike.com", "litmos.com", and "zoom.us".
In simple terms, this query identifies recently delivered inbound emails that pretend to be from CrowdStrike but are actually from suspicious domains.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailEvents
Keywords
EmailEventsTimestampEmailDirectionLatestDeliveryActionSenderFromDomain
Operators
|>==contains!endswithand