Query Details

ThreatFox Malware Domains

TI Feed Threatfox Malware Domains

Query

let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

About this query

ThreatFox Malware Domains

Source: ThreatFox

Feed information: https://threatfox.abuse.ch/faq/#tos

Feed link: https://threatfox.abuse.ch/downloads/hostfile/

Defender XDR

let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify network events involving known malware domains using data from the ThreatFox feed. Here's a simple breakdown of what each part of the query does:

  1. Data Import: The query starts by importing data from the ThreatFox host file, which lists known malware domains. This data is brought into the system as a text file, ignoring the first record (usually a header).

  2. IP Address Pattern: It defines a regular expression (IPRegex) to identify lines in the data that contain IP addresses. This pattern matches typical IPv4 addresses.

  3. Extracting Malware Domains:

    • The query filters the imported data to only include lines that match the IP address pattern.
    • It then extracts domain names from these lines using another regular expression. The pattern looks for domains following the placeholder IP 127.0.0.1 in the data.
    • The distinct function ensures that only unique domain names are kept.
  4. Network Event Filtering:

    • The query then looks at DeviceNetworkEvents, which contains records of network activities.
    • It filters these events to find any where the RemoteUrl matches any of the domains identified as malware.
  5. Output: Finally, the query outputs specific details about these network events, including the timestamp, URL, IP address, device name, and information about the process that initiated the network connection.

The main difference between the two queries (Defender XDR and Sentinel) is the naming of the timestamp field in the output: Timestamp for Defender XDR and TimeGenerated for Sentinel.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 26, 2025

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedMalwareDomainsDeviceNetworkEventsRemoteUrlRemoteIPDeviceNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessAccountDomainInitiatingProcessAccountName

Operators

letexternaldatawithformatignoreFirstRecordmatchesregexextendextractdistinctmaterializewherehas_anyproject

Actions

GitHub