Query Details
TI Feed Digital Side Domains
Query
# DigitalSide Threat-Intel suspicious and/or malicious domains #### Source: DigitalSide Threat-Intel #### Feed information: https://osint.digitalside.it/ #### Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt ### Defender For Endpoint ```KQL let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents | where RemoteUrl has_any (ThreatIntelFeed) | project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ``` ### Sentinel ```KQL let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents | where RemoteUrl has_any (ThreatIntelFeed) | project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ```
Explanation
This query retrieves information about suspicious and/or malicious domains from the DigitalSide Threat-Intel feed. It uses the ThreatIntelFeed variable to store the data from the feed. Then, it searches the DeviceNetworkEvents for any remote URLs that match the domains in the ThreatIntelFeed. The query returns the timestamp (or time generated in Sentinel), remote URL, remote IP, device name, initiating process command line, initiating process file name, initiating process account domain, and initiating process account name for any matching events.
Details
Bert-Jan Pals
Released: December 6, 2023
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User
Operators
letexternaldatawithwherehas_anyproject