Query Details
Part 2 Defender XDR KQL Detection For Fake Crowd Strike Domain URL
Query
// Part 2: DefenderXDR KQL detection for fake CrowdStrike domain URL // https://www.linkedin.com/posts/activity-7220748665924042752-pRST/ // Hourly custom detection: Detect & Purge EmailUrlInfo | where Timestamp > ago(1h) | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" | where LatestDeliveryAction == "Delivered" | where UrlDomain contains "crowdstrike" | where UrlDomain !endswith "crowdstrike.com" | where SenderFromDomain !endswith "crowdstrike.com" and SenderFromDomain !endswith "litmos.com" and SenderFromDomain !endswith "zoom.us"
Explanation
This KQL query is designed to detect and remove emails that contain URLs mimicking the CrowdStrike domain, which could be indicative of phishing attempts. Here's a simplified breakdown:
- Data Source: The query looks at email URL information from the past hour.
- Join Operation: It combines this data with email event details using a common identifier (
NetworkMessageId). - Filters:
- Only considers inbound emails.
- Only includes emails that were successfully delivered.
- Looks for URLs that contain "crowdstrike" but do not end with "crowdstrike.com".
- Excludes emails from trusted domains (
crowdstrike.com,litmos.com,zoom.us).
In essence, this query identifies potentially malicious emails that appear to be from CrowdStrike but are not from their legitimate domain, and then purges them.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEmailEventsTimestampEmailDirectionLatestDeliveryActionUrlDomainSenderFromDomain
Operators
|>agojoinon==contains!endswithand