Query Details
Telegraminfostealers
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| where InitiatingProcessFileName !in ("chrome.exe","Telegram.exe","firefox.exe","msedge.exe","slack.exe","OUTLOOK.EXE","brave.exe","Postman.exe")
| where InitiatingProcessVersionInfoFileDescription != @"Opera Internet Browser"
| where InitiatingProcessFileName != @"Google Chrome Helper"
| where InitiatingProcessFileName != @"Opera Helper"
| where InitiatingProcessFileName != @"com.apple.WebKit.Networking"
Rferences:
Explanation
The query is filtering a dataset called DeviceNetworkEvents. It is looking for events where the RemoteUrl contains "api.telegram.org". It then excludes events where the InitiatingProcessFileName is any of the listed values ("chrome.exe", "Telegram.exe", "firefox.exe", etc.). It also excludes events where the InitiatingProcessVersionInfoFileDescription is "Opera Internet Browser". Finally, it excludes events where the InitiatingProcessFileName is "Google Chrome Helper", "Opera Helper", or "com.apple.WebKit.Networking".
Details
Ali Hussein
Released: December 4, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,RemoteUrl,InitiatingProcessFileName,InitiatingProcessVersionInfoFileDescription
Operators
|wherecontains!in!=@"