Query Details
Piracy Domains Device Network Events
Query
let PiracyIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Piracy.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = PiracyIOCs | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList ) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl, VT_domain
Explanation
This query is designed to identify and summarize network events related to potentially malicious domains, specifically focusing on piracy-related indicators of compromise (IOCs). Here's a simple breakdown:
-
Data Import: It starts by importing a list of piracy-related indicators from an external CSV file hosted on GitHub. This file contains a column named
IndicatorValue, which presumably lists domain names associated with piracy activities. -
Domain Extraction: The query extracts these domain names into a list called
DomainList. -
Event Filtering: It then searches through
DeviceNetworkEventsto find any network events that have occurred in the last 90 days (TimeGenerated > ago(90d)) where theRemoteUrl(the domain accessed) matches any domain in theDomainList. -
VirusTotal Link Creation: For each matching event, it creates a link to the VirusTotal website for further investigation of the domain. This is done by appending the domain name to a base VirusTotal URL.
-
Summarization: Finally, it summarizes the results by counting the number of events for each domain and provides a link to VirusTotal for each domain.
In essence, this query helps identify and quantify network activity related to known piracy domains, providing a quick way to assess potential threats and investigate them further using VirusTotal.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators