Query Details
TI Feed 2022 Talos Emotet Domain
Query
# Emotet Domain IOC Feed #### Source: Talos Intelligence #### Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ #### Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_domains.txt ### Defender For Endpoint ``` let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents | where RemoteUrl in~ (EmotetDomain) | project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ``` ### Sentinel ``` let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents | where RemoteUrl in~ (EmotetDomain) | project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ```
Explanation
The query retrieves a list of Emotet domain indicators of compromise (IOCs) from a specific source. It then searches for network events where the remote URL matches any of the Emotet domains. The query returns specific information about these events, such as the timestamp (for Defender For Endpoint) or the time generated (for Sentinel), remote URL, remote IP, device name, initiating process command line, initiating process file name, initiating process account domain, and initiating process account name.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceNetworkEvents
Keywords
Keywords:let,externaldata,with,format,ignoreFirstRecord,DeviceNetworkEvents,where,in~,project,Timestamp,RemoteUrl,RemoteIP,DeviceName,InitiatingProcessCommandLine,InitiatingProcessFileName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,TimeGenerated
Operators
externaldatawithformatignoreFirstRecordDeviceNetworkEventswherein~projectTimestampRemoteUrlRemoteIPDeviceNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessAccountDomainInitiatingProcessAccountNameTimeGenerated