Query Details
Potentially Ungoverned AI Domains Such As Chatgpt
Query
//This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents let UngoverenedAI_IOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/PotentiallyUngovernedAITools.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = UngoverenedAI_IOCs | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList ) | summarize count() by RemoteUrl // After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.
Explanation
This query is designed to identify the use of potentially ungoverned AI tools by analyzing network events on devices. Here's a simplified breakdown:
-
Data Source: It imports a list of potentially ungoverned AI tool indicators from an external CSV file hosted on GitHub. This file contains domains that are suspected to be associated with ungoverned AI usage.
-
Domain Extraction: The query extracts the domain names (IndicatorValue) from the imported data to create a list of suspicious domains.
-
Event Filtering: It examines network events from devices over the past 90 days to find any instances where the remote URL matches one of the domains in the suspicious list.
-
Result Summarization: The query counts how many times each suspicious domain was accessed and presents these counts.
-
Next Steps: After identifying these domains, the suggestion is to visit the GitHub repository, download the CSV file, and consider uploading it to Microsoft Defender for Endpoint (MDE) to block these domains. It's also advised to review the results to ensure that any legitimate usage is not mistakenly blocked.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators