KQL Search

This KQL (Kusto Query Language) query is designed to analyze network events on devices by checking them against a list of potentially malicious domains. Here's a simple breakdown:

1. Load External Data: The query starts by loading a CSV file from a specified URL. This file contains a list of indicators of compromise (IOCs) related to remote monitoring and management (RMM) software. The data is loaded into a table called RMM_IOCs, with columns for the type and the indicator value (domain).

2. Extract Domain List: From the RMM_IOCs table, it extracts just the domain names (indicator values) into a list called DomainList.

3. Filter Device Network Events: The query then looks at DeviceNetworkEvents from the last 90 days. It filters these events to find instances where the RemoteUrl (the URL accessed by the device) matches any domain in the DomainList.

4. Create VirusTotal Links: For each matching event, it creates a link to VirusTotal, a website that provides information about the reputation of domains. This is done by appending the domain name to a base URL for VirusTotal.

5. Summarize Results: Finally, it summarizes the results by counting how many times each domain was accessed, along with the corresponding VirusTotal link.

In essence, this query helps identify and count how often devices in your network have accessed potentially risky domains, providing a quick way to investigate these domains further using VirusTotal.