Query Details
TI Network Events Listed On Threatfox Abusech
Query
//This Query detects NetworkEvents with Hosts listed on Threatfox abuse.ch
let Threatfox = externaldata (TFData: string) ["https://threatfox.abuse.ch/downloads/hostfile/"]
| where TFData !startswith "#"
| extend TFData = replace('127.0.0.1\\s+', "", TFData);
DeviceNetworkEvents
| where RemoteIPType == "Public"
| join Threatfox on $left.RemoteUrl == $right.TFDataExplanation
This query is designed to identify network events involving hosts that are flagged as threats by Threatfox, a service provided by abuse.ch. Here's a simple breakdown of what the query does:
-
Fetch Threat Data: It retrieves a list of threat-related hostnames from Threatfox's host file, ignoring any lines that start with a "#", which are typically comments.
-
Clean Data: It removes any occurrences of "127.0.0.1" followed by spaces from the threat data, as these are placeholders and not actual threat hosts.
-
Filter Network Events: It looks at network events from devices, specifically those where the remote IP address is public (not private or internal).
-
Match with Threat List: It checks if the remote URL from the network events matches any of the hostnames in the Threatfox list.
In summary, this query identifies network activities involving public IPs that are associated with known threat hosts according to Threatfox.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators