KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Threatfox Malware Domains

Query

# ThreatFox Malware Domains

#### Source: ThreatFox
#### Feed information: https://threatfox.abuse.ch/faq/#tos
#### Feed link: https://threatfox.abuse.ch/downloads/hostfile/

### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     | take 10000 // Max Size allowed
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
```


### Sentinel
```
let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     | take 10000 // Max Size allowed
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
```

Explanation

The query retrieves a list of malware domains from the ThreatFox feed and uses it to identify any network events in Defender for Endpoint or Sentinel that involve those domains. It returns information about the timestamp, remote URL, remote IP, device name, initiating process command line, initiating process file name, initiating process account domain, and initiating process account name.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

ThreatIntelFeedDeviceNetworkEvents

Keywords

ThreatIntelFeed,IPRegex,MalwareDomains,DeviceNetworkEvents,RemoteUrl,Timestamp,RemoteIP,DeviceName,InitiatingProcessCommandLine,InitiatingProcessFileName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,TimeGenerated

Operators

externaldatawithformatignoreFirstRecordletstringmatches regexextendextractdistincttakewherehas_anyproject

Actions