KQL Search

Query Details

UR Lhaus Network Events

Query

let urlhausRecent = (externaldata(payload_url: string) [@"https://urlhaus.abuse.ch/downloads/csv_online/"] with (format="txt"))
| where payload_url !startswith "#"
| project payload_url
| extend data = parse_csv(payload_url)
| extend ID = toint(data[0]),
         DateAdded = todatetime(data[1]),
         URL = tostring(data[2]),
         URLStatus = tostring(data[3]),
         Threat = tostring(data[4]),
         Tags = tostring(data[5]),
         urlhausLink = tostring(data[6]),
         Reporter = tostring(data[7])
| project-away payload_url, ['data'];
DeviceNetworkEvents
| join urlhausRecent on $left.RemoteUrl == $right.URL
| project Timestamp, Threat, DeviceName, InitiatingProcessAccountUpn, URL, Tags, urlhausLink, Reporter

Explanation

This query retrieves recent data from a URLhaus database and joins it with DeviceNetworkEvents data. It then projects specific columns from the joined data.

Details

C.J. May

Released: September 27, 2022

Tables

urlhausRecentDeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

letexternaldatawithformatwhereprojectextendparse_csvtointtodatetimetostringproject-awayjoinon$left$right==.

KQL Search

UR Lhaus Network Events

Query

Explanation

Details

Actions