Query Details

DigitalSide Threat-Intel suspicious and/or malicious domains

TI Feed Digital Side Domains

Query

let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl has_any (ThreatIntelFeed)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

About this query

DigitalSide Threat-Intel suspicious and/or malicious domains

Source: DigitalSide Threat-Intel

Feed information: https://osint.digitalside.it/

Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt

Defender XDR

Sentinel

let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl has_any (ThreatIntelFeed)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Explanation

This query is designed to identify suspicious or malicious domains from network events by using a threat intelligence feed from DigitalSide. Here's a simple breakdown of what each part does:

  1. Threat Intelligence Feed: The query starts by loading a list of potentially harmful domains from an external source provided by DigitalSide. This list is accessed via a URL and is formatted as a text file.

  2. Device Network Events: The query then examines network events recorded by devices. It looks specifically at the URLs that devices have connected to.

  3. Filtering: The query filters these network events to find any instances where the device connected to a URL that matches one of the domains in the threat intelligence feed.

  4. Projection: For any matching events, the query extracts and displays specific details, including:

    • The timestamp of the event.
    • The URL and IP address the device connected to.
    • The name of the device.
    • Information about the process that initiated the connection, such as the command line used, the file name, and the account domain and name.

The difference between the two queries (Defender XDR and Sentinel) is minimal, with the main distinction being the field name for the timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel). Both queries serve the same purpose of identifying potentially harmful connections based on the threat intelligence feed.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDeviceNetworkEventsRemoteUrlRemoteIPDeviceNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessAccountDomainInitiatingProcessAccountNameTimestampTimeGenerated

Operators

letexternaldatawithwherehas_anyproject

Actions

GitHub