KQL Search

This KQL (Kusto Query Language) query is designed to identify network events involving potentially malicious domains. Here's a simplified breakdown:

1. Data Import: The query starts by importing a list of suspicious domains from a CSV file hosted on GitHub. This file contains indicators of compromise (IOCs) related to "Paste-like" sites, which are often used for sharing text and can be exploited for malicious purposes.

2. Domain Extraction: It extracts the domain names (IndicatorValue) from the imported data and stores them in a list called DomainList.

3. Event Filtering: The query then examines network events from the DeviceNetworkEvents table, focusing on events that occurred in the last 90 days (TimeGenerated > ago(90d)).

4. Domain Matching: It filters these events to find those where the RemoteUrl (the URL accessed by a device) matches any domain in the DomainList.

5. VirusTotal Links: For each matching event, it creates a link to VirusTotal, a website that provides information about the security status of domains. This is done using the extend operator to add a new column (VT_domain) with the VirusTotal URL for each domain.

6. Summary: The query summarizes the results by counting the number of events for each domain and its corresponding VirusTotal link.

7. Next Steps: After running the query, it suggests visiting the GitHub repository to download the CSV file. The user is advised to consider uploading this list to Microsoft Defender for Endpoint (MDE) to block these domains, after verifying and removing any domains that are used legitimately.

In essence, this query helps identify and analyze network activity involving potentially harmful domains, providing a basis for further investigation and potential blocking actions.