Query Details

Command & Control intel Feeds (Domain Based)

TI Feed C2URL Feed

Query

// Collect Remote data
let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP.csv"] with (format="csv", ignoreFirstRecord=True);
// Generate list that can be used to filter DeviceNetworkEvents
let DomainList = C2IntelFeeds
| distinct Domain;
DeviceNetworkEvents
// Filter only on C2 Domains
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (DomainList)
// Join the C2IntelFeed information for enrichment
| join kind=leftouter C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl

About this query

Explanation

This query is designed to detect potential Command & Control (C2) activities by analyzing network events and comparing them against a known list of C2 domains. Here's a simplified explanation of what the query does:

  1. Data Collection: It retrieves a list of known C2 domains and associated information from an external CSV file hosted on GitHub.

  2. Domain List Creation: It extracts a distinct list of domains from this data, which will be used to filter network events.

  3. Event Filtering: It examines network events (specifically DeviceNetworkEvents) to identify any events where the remote URL matches any of the domains in the C2 domain list.

  4. Data Enrichment: For any matching events, it enriches the data by joining it with the C2 domain information, adding geographical details based on the remote IP address.

  5. Output: The query then organizes the results to display key information such as the timestamp, device name, remote IP, remote port, and remote URL.

The query is structured similarly for both Defender XDR and Sentinel, with slight differences in the output column names (Timestamp vs. TimeGenerated). The goal is to help identify and analyze potential C2 communications within a network, aiding in threat detection and response.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceNetworkEvents

Keywords

CommandControlIntelFeedsDomainDevicesNetworkEventsGeoIPInformation

Operators

externaldatawithdistinctextendtolowerwherehas_anyjoinkindongeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub