Query Details
TI Botvrji Url In Email Url Info
Query
//Detects Hits from Botvrij.eu Feed in EmailUrlInfo
let BotvrijRAW = externaldata(Url: string)["https://www.botvrij.eu/data/ioclist.domain"]
| extend Url = substring(Url, 0, indexof(Url, "#"))
| where isnotempty(Url) or Url != "";
EmailUrlInfo
| where UrlDomain has_any(BotvrijRAW)
| join EmailEvents on NetworkMessageId Explanation
This KQL (Kusto Query Language) query is designed to detect email activities involving URLs that are listed in a threat intelligence feed from Botvrij.eu. Here's a simplified breakdown of what the query does:
-
Fetch Data from Botvrij.eu:
- The query starts by pulling data from an external source, specifically a list of potentially malicious domains provided by Botvrij.eu.
-
Clean the Data:
- It processes this data to remove any comments (anything after a
#in the URL) and filters out any empty entries, ensuring that only valid URLs are considered.
- It processes this data to remove any comments (anything after a
-
Check Email URLs Against the List:
- The query then looks at the
EmailUrlInfotable, which contains information about URLs found in emails. - It checks if any of these URLs match the domains listed in the Botvrij.eu feed.
- The query then looks at the
-
Join with Email Events:
- If a match is found, it joins this information with the
EmailEventstable using theNetworkMessageIdto provide more context about the email events associated with these URLs.
- If a match is found, it joins this information with the
In summary, this query is used to identify and analyze email activities that involve URLs flagged as potentially harmful by Botvrij.eu, helping to detect and respond to possible security threats.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEvents
Operators
externaldataextendsubstringindexofwhereisnotemptyhas_anyjoin