Threatview Domain High Confidence Feed
TI Feed Threatviewio Domain High Confidence Feed
Query
let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
Threatview Domain High Confidence Feed
Source: Threatview
Feed information: https://threatview.io/
Feed link: https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt
Defender XDR
Sentinel
let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Explanation
This query is designed to identify network events involving potentially malicious domains by comparing them against a high-confidence threat intelligence feed from Threatview. Here's a simple breakdown of what each part of the query does:
-
Threat Intelligence Feed Import:
- The query starts by importing a list of potentially harmful domains from an external source, specifically from Threatview's high-confidence domain feed. This list is treated as a reference to check against network events.
-
Filtering Network Events:
- It then examines network events recorded in the
DeviceNetworkEventstable. - The query filters these events to find any where the domain (URL) accessed matches any domain in the Threatview feed. This is done using a case-insensitive comparison.
- It then examines network events recorded in the
-
Geolocation Information:
- For each matching event, the query retrieves geolocation information based on the IP address involved in the event. This includes details like country, state, city, latitude, and longitude.
-
Data Presentation:
- Finally, the query organizes the results to display specific columns: timestamp (or time generated), device name, remote IP address, remote port, and the account name of the process that initiated the connection.
- The order of these columns is slightly different between the Defender XDR and Sentinel versions, with the main difference being the timestamp column name (
Timestampvs.TimeGenerated).
In summary, this query is used to detect and analyze network connections to potentially malicious domains by leveraging a threat intelligence feed, and it enriches the data with geolocation information for further context.
Details

Bert-Jan Pals
Released: December 4, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsGeoIPInfoRemoteUrlPortInitiatingProcessAccountNameTimestampTimeGeneratedCountryStateCityLatitudeLongitudeDomain
Operators
letexternaldatawithwheretolowerhas_anyextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder