KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed C2URL Feed

Query

# Command & Control intel Feeds (Domain Based)

#### Source: https://github.com/drb-ra
#### Feed information: https://github.com/drb-ra/C2IntelFeeds
#### Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2swithURLwithIP.csv

**Preferable use the URL filter abuse detection, to prevent false positives**: [Detection](./TI%20Feed%20-%20C2URLFeedFilterAbuse.md)

### Defender For Endpoint
```
// Collect Remote data
let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP.csv"] with (format="csv", ignoreFirstRecord=True);
// Generate list that can be used to filter DeviceNetworkEvents
let DomainList = C2IntelFeeds
| distinct Domain;
DeviceNetworkEvents
// Filter only on C2 Domains
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (DomainList)
// Join the C2IntelFeed information, this might skew the results, therefor they have been filtered.
//| join C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl
```


### Sentinel
```
// Collect Remote data
let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP.csv"] with (format="csv", ignoreFirstRecord=True);
// Generate list that can be used to filter DeviceNetworkEvents
let DomainList = C2IntelFeeds
| distinct Domain;
DeviceNetworkEvents
// Filter only on C2 Domains
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (DomainList)
// Join the C2IntelFeed information, this might skew the results, therefor they have been filtered.
//| join C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl
```

Explanation

The query collects remote data from a specific source and generates a list of domains that can be used to filter device network events. It then filters the events based on the domains and joins additional information from the remote data. The final result includes the timestamp (or time generated in Sentinel), device name, remote IP, remote port, and remote URL.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 14, 2023

Tables

C2IntelFeedsDeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

externaldatawithformatignoreFirstRecorddistinctextendtolowerwherehas_anygeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions