ROSTI Repackaged Open Source Intelligence MDE Network Events IOC Hits
Query
//Looks for Network Traffic hits from the ROSTI Feed
//Source: https://rosti.bin.re/feeds
let RostiBinIOCs = externaldata(type: string, IndicatorValue: string)[@"https://sduixpgwciwivgpuisyf.supabase.co/storage/v1/object/public/bulk-exports/mde-all.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = RostiBinIOCs
| where type == "DomainName" or type == "Url"
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domainExplanation
This query is designed to identify network traffic events that match indicators from the ROSTI feed, which is a source of potentially malicious domains and URLs. Here's a simple breakdown of what the query does:
-
Fetch Data from ROSTI Feed: It retrieves a list of indicators (domains and URLs) from an external CSV file hosted online.
-
Filter for Relevant Indicators: It filters this list to include only those indicators that are of type "DomainName" or "Url".
-
Check Network Events: It examines network events from the last 90 days to see if any of the remote URLs in these events match the indicators from the ROSTI feed.
-
Create VirusTotal Links: For each matching event, it creates a link to VirusTotal, a service for checking the reputation of domains, using the remote URL.
-
Summarize Results: Finally, it counts how many times each matching URL appears in the network events and provides a summary that includes the URL and its corresponding VirusTotal link.
In essence, this query helps identify potentially malicious network activity by cross-referencing recent network events with known suspicious domains and URLs.
Details

Jay Kerai
Released: February 1, 2025
Tables
Keywords
Operators