Telegraminfostealers
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| where InitiatingProcessFileName !in ("chrome.exe","Telegram.exe","firefox.exe","msedge.exe","slack.exe","OUTLOOK.EXE","brave.exe","Postman.exe")
| where InitiatingProcessVersionInfoFileDescription != @"Opera Internet Browser"
| where InitiatingProcessFileName != @"Google Chrome Helper"
| where InitiatingProcessFileName != @"Opera Helper"
| where InitiatingProcessFileName != @"com.apple.WebKit.Networking"
Rferences:Explanation
This query is searching through network event data to find instances where a device has connected to the Telegram API (specifically, any URL containing "api.telegram.org"). However, it filters out connections initiated by common web browsers and applications such as Chrome, Firefox, Edge, Slack, Outlook, Brave, Postman, and Opera. Additionally, it excludes connections initiated by certain helper processes associated with Google Chrome, Opera, and Apple's WebKit Networking. Essentially, the query is looking for unusual or unexpected processes that are accessing the Telegram API, which might indicate suspicious activity.
Details

Ali Hussein
Released: December 4, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
DeviceNetworkEventswherecontains!in!=