KQL Search

Query Details

HomeAI ToolsDevice Query

Software Download Sites Device Network Events

Query

let SoftwareDownloadDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/SoftwarePackersOrSoftwareDownloadProxySites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = SoftwareDownloadDomains
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.

Explanation

This KQL query is designed to identify network events involving potentially suspicious software download domains. Here's a simple breakdown of what the query does:

  1. Load External Data: It starts by loading a list of software download domains from an external CSV file hosted on GitHub. This list is stored in a variable called SoftwareDownloadDomains.

  2. Extract Domain List: It extracts the IndicatorValue column from the loaded data, which contains the domain names, and stores it in a variable called DomainList.

  3. Filter Network Events: The query then looks at DeviceNetworkEvents from the past 90 days and filters the events to only include those where the RemoteUrl matches any domain in the DomainList.

  4. Add VirusTotal Links: For each matching event, it creates a link to the VirusTotal website for the domain, allowing further investigation. This is stored in a new column called VT_domain.

  5. Summarize Results: Finally, it summarizes the data by counting the number of events for each domain and provides the VirusTotal link for each.

The comment at the end suggests that after reviewing the results, you should download the CSV file from the GitHub repository, consider uploading it to Microsoft Defender for Endpoint (MDE) to block these domains, and remove any entries that are legitimate.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 9, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

letexternaldatawithformatignoreFirstRecordprojectwherein~extendiffisnotemptystrcatsummarizeby

Actions