KQL Search

Query Details

HomeAI ToolsDevice Query

Streaming Sites Device Network Events

Query

let StreamDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/streaming-sites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = StreamDomains
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.

Explanation

This KQL (Kusto Query Language) query is designed to identify network events related to streaming sites from a specified list. Here's a simple breakdown of what it does:

  1. Load Streaming Domains: It retrieves a list of streaming site domains from a CSV file hosted on GitHub. The CSV file is read, ignoring the first record (which is likely a header), and it extracts two columns: type and IndicatorValue.

  2. Prepare Domain List: It creates a list of domain names (IndicatorValue) from the streaming sites data.

  3. Filter Network Events: It searches through DeviceNetworkEvents for any network activity in the last 90 days where the RemoteUrl matches any domain in the prepared list.

  4. Enhance Data: For each matching event, it creates a link to VirusTotal for the domain, allowing for further investigation.

  5. Summarize Results: It counts the number of events for each domain and provides a summary that includes the domain and its VirusTotal link.

  6. Next Steps: After analyzing the results, the query suggests downloading the CSV file from GitHub and considering uploading it to Microsoft Defender for Endpoint (MDE) to block these domains, while ensuring to exclude any domains that are used legitimately.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrlTimeGeneratedIndicatorValue

Operators

letexternaldatawithformatignoreFirstRecordprojectwherein~extendiffisnotemptystrcatsummarizeby

Actions