Streaming Sites Device Network Events
Query
let StreamDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/streaming-sites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = StreamDomains
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.Explanation
This KQL (Kusto Query Language) query is designed to identify network events related to streaming sites from a specified list. Here's a simple breakdown of what it does:
-
Load Streaming Domains: It retrieves a list of streaming site domains from a CSV file hosted on GitHub. The CSV file is read, ignoring the first record (which is likely a header), and it extracts two columns:
typeandIndicatorValue. -
Prepare Domain List: It creates a list of domain names (
IndicatorValue) from the streaming sites data. -
Filter Network Events: It searches through
DeviceNetworkEventsfor any network activity in the last 90 days where theRemoteUrlmatches any domain in the prepared list. -
Enhance Data: For each matching event, it creates a link to VirusTotal for the domain, allowing for further investigation.
-
Summarize Results: It counts the number of events for each domain and provides a summary that includes the domain and its VirusTotal link.
-
Next Steps: After analyzing the results, the query suggests downloading the CSV file from GitHub and considering uploading it to Microsoft Defender for Endpoint (MDE) to block these domains, while ensuring to exclude any domains that are used legitimately.
Details

Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators