KQL Search

Query Details

HomeAI ToolsDevice Query

Risky Sign In After Tweetfeed URL IP Click

Query

//This Query hunts for Risky Sign in after the Click to a URL or IP listed on Tweetfeed IOC
let TweetFeedM = externaldata(Datetime: string, Src: string, Type: string, Indicator: string, Desc: string)["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"];
// Extract the URL from IOC Feed
let TweetFeedURL = TweetFeedM
    | where Type == "url";
// Extract IPs from IOC Feed
let TweetFeedIP = TweetFeedM
    | where Type == "ip";
// Test for Hits on URL 
let HitsURL = UrlClickEvents
    | join kind = inner TweetFeedURL on $left.Url == $right.Indicator
        | project Timestamp, AccountUpn, Url, IPAddress;
// Test for Hits on IPs
let HitsIP = UrlClickEvents
    | join kind = inner TweetFeedIP on $left.IPAddress == $right.Indicator
        | project Timestamp, AccountUpn, Url, IPAddress;
// join Sign in Events with RiskLevel not empty
HitsURL
    | union HitsIP
        | join kind = inner AADSignInEventsBeta on $left.AccountUpn == $right.AccountUpn
            | where Timestamp > Timestamp1
                | where isnotempty(RiskLevelDuringSignIn)

Explanation

This query is designed to identify potentially risky sign-in activities that occur after a user clicks on a URL or IP address listed in a threat intelligence feed (Tweetfeed IOC). Here's a simplified breakdown of what the query does:

  1. Import Threat Intelligence Data: It imports data from an external source (a CSV file hosted on GitHub) that contains indicators of compromise (IOCs), such as URLs and IP addresses associated with potential threats.

  2. Separate URLs and IPs: The data is filtered into two separate sets: one containing URLs and the other containing IP addresses.

  3. Identify Click Events on Threat URLs: It checks for any events where users clicked on URLs that match those in the threat feed. This is done by joining the URL click events with the threat URL list.

  4. Identify Click Events on Threat IPs: Similarly, it checks for events where users clicked on IP addresses that match those in the threat feed by joining the IP click events with the threat IP list.

  5. Combine and Analyze Risky Sign-Ins: The results from both URL and IP click events are combined. These combined results are then joined with Azure Active Directory (AAD) sign-in events to find instances where the same user account had a sign-in event with a non-empty risk level after clicking on a threat-listed URL or IP.

In summary, the query is hunting for user sign-ins that are flagged as risky and occur after the user has interacted with potentially malicious URLs or IPs from a threat intelligence feed.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: November 10, 2024

Tables

UrlClickEventsAADSignInEventsBeta

Keywords

RiskySignInUrlIpTweetfeedIocUrlclickeventsAadsigneventsbetaTimestampAccountupnRisklevelduringsignin

Operators

externaldatawherejoinonprojectunionisnotempty

Actions