TI Network Event With Urlhaus Abusech Hit
Query
//This Query Detects Networks Events to Destinations listed on urlhaus.abuse.ch Feed
let URLHausOnlineRAW = externaldata (UHFeed:string) ["https://urlhaus.abuse.ch/downloads/csv_online/"] with(format="txt")
| where UHFeed !startswith "#"
| extend UHRAW=replace_string(UHFeed, '"', '')
| project splitted=split(UHRAW, ',')
| mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8]
| extend UHUrl = tostring(UHUrl)
| extend UHUrlDomain = tostring(parse_url(UHUrl).Host)
| project-away splitted;
let URLHits = EmailUrlInfo
| join kind=inner URLHausOnlineRAW on $left.Url == $right.UHUrl
| join EmailEvents on NetworkMessageId;
URLHitsExplanation
This query is designed to detect network events that involve destinations listed in the URLhaus feed, which is a database of malicious URLs. Here's a simplified breakdown of what the query does:
-
Fetch Data: It retrieves data from the URLhaus feed, which is a list of potentially harmful URLs, in CSV format.
-
Data Cleaning: It removes any lines that start with a "#" (comments) and strips out any quotation marks from the data.
-
Data Parsing: It splits each line of the feed into separate fields, such as ID, date added, URL, status, last online date, threat type, tags, link, and reporter.
-
Extract Domain: It extracts the domain from each URL for easier comparison.
-
Join with Email Data: It then compares these URLs with URLs found in the
EmailUrlInfodataset to find matches. -
Join with Network Events: Finally, it joins the matched URLs with network events from the
EmailEventsdataset based on a common identifier (NetworkMessageId).
The result is a set of network events that involve URLs listed in the URLhaus feed, helping to identify potentially malicious activity.
Details

Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators