ThreatFox Malware Domains
TI Feed Threatfox Malware Domains
Query
let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
ThreatIntelFeed
| where LineInfo matches regex IPRegex
| extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
| distinct domain
);
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountNameAbout this query
ThreatFox Malware Domains
Source: ThreatFox
Feed information: https://threatfox.abuse.ch/faq/#tos
Feed link: https://threatfox.abuse.ch/downloads/hostfile/
Defender XDR
let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
ThreatIntelFeed
| where LineInfo matches regex IPRegex
| extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
| distinct domain
);
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify network events involving known malware domains using data from the ThreatFox feed. Here's a simple breakdown of what each part of the query does:
-
Data Import: The query starts by importing data from the ThreatFox host file, which lists known malware domains. This data is brought into the system as a text file, ignoring the first record (usually a header).
-
IP Address Pattern: It defines a regular expression (
IPRegex) to identify lines in the data that contain IP addresses. This pattern matches typical IPv4 addresses. -
Extracting Malware Domains:
- The query filters the imported data to only include lines that match the IP address pattern.
- It then extracts domain names from these lines using another regular expression. The pattern looks for domains following the placeholder IP
127.0.0.1in the data. - The
distinctfunction ensures that only unique domain names are kept.
-
Network Event Filtering:
- The query then looks at
DeviceNetworkEvents, which contains records of network activities. - It filters these events to find any where the
RemoteUrlmatches any of the domains identified as malware.
- The query then looks at
-
Output: Finally, the query outputs specific details about these network events, including the timestamp, URL, IP address, device name, and information about the process that initiated the network connection.
The main difference between the two queries (Defender XDR and Sentinel) is the naming of the timestamp field in the output: Timestamp for Defender XDR and TimeGenerated for Sentinel.
Details

Bert-Jan Pals
Released: October 26, 2025
Tables
Keywords
Operators