KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Threatviewio Domain High Confidence Feed

Query

# Threatview Domain High Confidence Feed

#### Source: Threatview
#### Feed information: https://threatview.io/
#### Feed link: https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt

### Defender For Endpoint
```KQL
let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

### Sentinel
```KQL
let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

This query retrieves data from Threatview's Domain High Confidence Feed and uses it to identify potentially malicious network events. It then enriches the data with geographical information and presents specific fields for analysis.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: May 13, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeed,DeviceNetworkEvents,RemoteUrl,GeoIPInfo,RemoteIP,RemotePort,InitiatingProcessAccountName,TimeGenerated,DeviceName

Operators

letwherehas_anyextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions