Query Details
Personal Messaging Domains Device Network Events
Query
let ChatIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/ChatSites.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = ChatIOCs | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList ) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl,VT_domain //,DeviceName, InitiatingProcessAccountUpn
Explanation
This KQL (Kusto Query Language) query is designed to analyze network events related to specific chat site domains over the past 90 days. Here's a simple breakdown of what it does:
-
Load External Data: It imports a list of chat site indicators (IOCs) from an external CSV file hosted on GitHub. This file contains two columns:
typeandIndicatorValue. -
Extract Domain List: It extracts the
IndicatorValuecolumn from the imported data, which represents the list of chat site domains. -
Filter Network Events: It queries the
DeviceNetworkEventstable to find events where theRemoteUrl(the URL accessed by devices) matches any of the domains in the extracted list. It only considers events from the last 90 days. -
Enhance Data: For each matching event, it creates a new field
VT_domain, which is a URL to the VirusTotal website for the domain. This is done by appending the domain to a base VirusTotal URL. -
Summarize Results: Finally, it summarizes the data by counting the number of events for each
RemoteUrland its correspondingVT_domain.
In essence, this query helps identify and count network events involving specific chat site domains, providing a link to VirusTotal for further investigation of each domain.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators