Query Details

Threatview Domain High Confidence Feed

TI Feed Threatviewio Domain High Confidence Feed

Query

let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

Threatview Domain High Confidence Feed

Source: Threatview

Feed information: https://threatview.io/

Feed link: https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt

Defender XDR

Sentinel

let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where tolower(RemoteUrl) has_any (ThreatIntelFeed)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Explanation

This query is designed to identify network events involving potentially malicious domains by comparing them against a high-confidence threat intelligence feed from Threatview. Here's a simple breakdown of what each part of the query does:

  1. Threat Intelligence Feed Import:

    • The query starts by importing a list of potentially harmful domains from an external source, specifically from Threatview's high-confidence domain feed. This list is treated as a reference to check against network events.
  2. Filtering Network Events:

    • It then examines network events recorded in the DeviceNetworkEvents table.
    • The query filters these events to find any where the domain (URL) accessed matches any domain in the Threatview feed. This is done using a case-insensitive comparison.
  3. Geolocation Information:

    • For each matching event, the query retrieves geolocation information based on the IP address involved in the event. This includes details like country, state, city, latitude, and longitude.
  4. Data Presentation:

    • Finally, the query organizes the results to display specific columns: timestamp (or time generated), device name, remote IP address, remote port, and the account name of the process that initiated the connection.
    • The order of these columns is slightly different between the Defender XDR and Sentinel versions, with the main difference being the timestamp column name (Timestamp vs. TimeGenerated).

In summary, this query is used to detect and analyze network connections to potentially malicious domains by leveraging a threat intelligence feed, and it enriches the data with geolocation information for further context.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 4, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsGeoIPInfoRemoteUrlPortInitiatingProcessAccountNameTimestampTimeGeneratedCountryStateCityLatitudeLongitudeDomain

Operators

letexternaldatawithwheretolowerhas_anyextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub