TI Volexity Feed Urls In Email Url Info
Query
//Volexity Feed Hits in EmailUrlInfo
let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"];
let ExcludedDomains = dynamic([ "links.infos.clubmed.com"]);
EmailEvents
| where Timestamp > ago (30d)
| join EmailUrlInfo on NetworkMessageId
| where Url has_any (domains) and DeliveryAction !~ "Blocked"
| where not(Url has_any (ExcludedDomains))Explanation
This KQL (Kusto Query Language) query is designed to identify specific email events based on a list of domains from an external source. Here's a simplified breakdown of what the query does:
-
Load External Data: It retrieves a list of domains from an external file hosted on GitHub. This file contains threat intelligence data from Volexity.
-
Define Excluded Domains: It specifies a list of domains to exclude from the results. In this case, it excludes any URLs that contain "links.infos.clubmed.com".
-
Filter Email Events: It searches through email events from the past 30 days.
-
Join with URL Information: It combines email events with URL information based on a common identifier,
NetworkMessageId. -
Check for Specific Domains: It filters the results to include only those emails where the URL contains any of the domains from the external list and where the email was not blocked.
-
Exclude Certain Domains: It further filters out any emails where the URL contains any of the excluded domains.
In summary, this query identifies recent email events that involve URLs from a specific list of potentially malicious domains, ensuring that these emails were not blocked and do not include certain excluded domains.
Details

Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators