Query Details
TI Network Event With Urlhaus Abusech Hit
Query
//This Query Detects Networks Events to Destinations listed on urlhaus.abuse.ch Feed let URLHausOnlineRAW = externaldata (UHFeed:string) ["https://urlhaus.abuse.ch/downloads/csv_online/"] with(format="txt") | where UHFeed !startswith "#" | extend UHRAW=replace_string(UHFeed, '"', '') | project splitted=split(UHRAW, ',') | mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8] | extend UHUrl = tostring(UHUrl) | extend UHUrlDomain = tostring(parse_url(UHUrl).Host) | project-away splitted; let URLHits = EmailUrlInfo | join kind=inner URLHausOnlineRAW on $left.Url == $right.UHUrl | join EmailEvents on NetworkMessageId; URLHits
Explanation
This query is designed to detect network events that involve destinations listed in the URLhaus feed, which is a database of malicious URLs. Here's a simplified breakdown of what the query does:
-
Fetch Data: It retrieves data from the URLhaus feed, which is a list of potentially harmful URLs, in CSV format.
-
Data Cleaning: It removes any lines that start with a "#" (comments) and strips out any quotation marks from the data.
-
Data Parsing: It splits each line of the feed into separate fields, such as ID, date added, URL, status, last online date, threat type, tags, link, and reporter.
-
Extract Domain: It extracts the domain from each URL for easier comparison.
-
Join with Email Data: It then compares these URLs with URLs found in the
EmailUrlInfodataset to find matches. -
Join with Network Events: Finally, it joins the matched URLs with network events from the
EmailEventsdataset based on a common identifier (NetworkMessageId).
The result is a set of network events that involve URLs listed in the URLhaus feed, helping to identify potentially malicious activity.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators