KQL Search

Query Details

HomeAI ToolsDevice Query

Rating IS Ps To Detect Potential Malicious Domains Sending Threats

Query

**Rating ISPs to detect potential malicious domains sending threats**

**Description:** This latest query is oriented to email threats and allows you to rate ISPs to detect:

- ISPs that are using multiple domains to send you threat emails.
- ISPs and domains with a high percentage of malicious emails, and to verify if any were delivered into Inbox folders.
- ISPs using multiple different IP addresses to send you threats.
  
...and more!

```
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']with (ignoreFirstRecord=true));
EmailEvents
| evaluate ipv4_lookup(CIDRASN, SenderIPv4, CIDR, return_unmatched=true)
| extend GeoIPData = tostring(geo_info_from_ip_address(SenderIPv4).country)
| summarize Different_IPs=make_set(SenderIPv4), Countries= make_set(GeoIPData), make_set(CIDR), make_set(SenderFromDomain), Total_different_IPs=dcount(SenderIPv4) ,Total_emails = count(),make_set(ThreatTypes),Delivered_on_Inbox= countif(DeliveryLocation has "Inbox/folder"), Email_Threat= count(isnotempty(ThreatTypes)),
Email_Valid = count( isempty(ThreatTypes)) by GeoIPData, CIDR, CIDRASNName
| extend SuspiciousRatio = Email_Threat * 1.0 / Total_emails, ValidRatio = Email_Valid * 1.0 / Total_emails
| extend SuspiciousPercentage = SuspiciousRatio * 100, ValidPercentage = ValidRatio * 100
| order by Email_Threat
| project CIDRASNName,set_SenderFromDomain, set_CIDR, Different_IPs, Countries,Total_different_IPs, set_ThreatTypes,Total_emails, Delivered_on_Inbox, Email_Threat, Email_Valid, SuspiciousPercentage, ValidPercentage
```

Explanation

This query is designed to analyze email threats by evaluating Internet Service Providers (ISPs) and their associated domains. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses an external data source containing CIDR (IP range) and ASN (Autonomous System Number) information to help identify the network details of email senders.

  2. Email Event Analysis: It processes email events to:

    • Identify ISPs using multiple domains to send potentially malicious emails.
    • Determine ISPs and domains with a high percentage of malicious emails.
    • Check if any of these emails were delivered to inbox folders.
    • Detect ISPs using various IP addresses to send threats.

  3. Data Enrichment: The query enriches the email data by adding geographical information based on the sender's IP address.

  4. Summarization: It summarizes the data by:

    • Listing different IPs and countries associated with each ISP.
    • Counting the total number of different IPs and emails.
    • Identifying threat types and counting how many emails were delivered to inboxes.
    • Calculating the number of emails that were threats versus valid emails.

  5. Ratios and Percentages: It calculates the ratio and percentage of suspicious (malicious) versus valid emails for each ISP.

  6. Ordering and Projection: The results are ordered by the number of email threats and projected to show key information such as ISP name, domains used, IPs, countries, threat types, and the calculated percentages.

Overall, this query helps identify and rate ISPs based on their involvement in sending potentially malicious emails, providing insights into their behavior and the threat landscape.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 26, 2024

Tables

EmailEvents

Keywords

EmailEventsGeoIPDataThreatTypesDeliveryLocation

Operators

letexternaldataevaluateipv4_lookupextendtostringgeo_info_from_ip_addresssummarizemake_setdcountcountcountifisnotemptyisemptybyorder byproject

Actions