Query Details
TI Volexity Feed Urls In Email Url Info
Query
//Volexity Feed Hits in EmailUrlInfo let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"]; let ExcludedDomains = dynamic([ "links.infos.clubmed.com"]); EmailEvents | where Timestamp > ago (30d) | join EmailUrlInfo on NetworkMessageId | where Url has_any (domains) and DeliveryAction !~ "Blocked" | where not(Url has_any (ExcludedDomains))
Explanation
This KQL (Kusto Query Language) query is designed to identify specific email events based on a list of domains from an external source. Here's a simplified breakdown of what the query does:
-
Load External Data: It retrieves a list of domains from an external file hosted on GitHub. This file contains threat intelligence data from Volexity.
-
Define Excluded Domains: It specifies a list of domains to exclude from the results. In this case, it excludes any URLs that contain "links.infos.clubmed.com".
-
Filter Email Events: It searches through email events from the past 30 days.
-
Join with URL Information: It combines email events with URL information based on a common identifier,
NetworkMessageId. -
Check for Specific Domains: It filters the results to include only those emails where the URL contains any of the domains from the external list and where the email was not blocked.
-
Exclude Certain Domains: It further filters out any emails where the URL contains any of the excluded domains.
In summary, this query identifies recent email events that involve URLs from a specific list of potentially malicious domains, ensuring that these emails were not blocked and do not include certain excluded domains.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators