Connections to commonly abused top level domains
Top Level Domains
Query
let abusedTLD = dynamic(["rest", "okinawa", "live", "beauty", "bar", "fit", "gq", "cfd", "zone", "top"]);
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| extend hasIPinRemoteUrl = iif(indexof_regex(RemoteUrl,@"\b(?:\d{1,3}\.){3}\d{1,3}\b") == -1,false, true)
| where hasIPinRemoteUrl==false
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,RemoteUrl,typeof(string)),".")[1])
| where TLD in~ (abusedTLD)
| extend Domain = replace_regex(tostring(extract(@"[^.]+\.[^.]+$",0,RemoteUrl)),"https://","")
| project TimeGenerated, DeviceName,ActionType,RemoteUrl, TLD,Domain, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountNameAbout this query
Explanation
The query is used to find connections to commonly abused top-level domains. It includes different sections for different types of events, such as DeviceNetworkEvents, EmailUrlInfo, and UrlClickEvents. The query filters the events based on the presence of a remote URL and checks if the URL contains an IP address. It then extracts the top-level domain (TLD) from the URL and compares it to a list of commonly abused TLDs. The query also includes additional fields such as TimeGenerated, DeviceName, ActionType, RemoteIP, and more to provide more context about the connections.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceNetworkEvents
EmailUrlInfo
EmailEvents
UrlClickEvents
Keywords
ConnectionsDevicesIntuneUserTLDMITRE ATT&CKTechniqueLinkResource DevelopmentStage CapabilitiesLink TargetDefender for EndpointSentinelSpamhausWorld's Most Abused TLDsZIPMOVGoogleTop Level DomainsEmailsEmailUrlInfoEmailEventsURL ClickEventsXYZ
Operators
isnotemptyextendiifindexof_regexwherein~replace_regexprojectsplitextracttypeofjoin