KQL Search

Query Details

HomeAI ToolsDevice Query

Url Haus Abusech Hits In Microsoft Teams

Query

**UrlHaus Abuse.ch Hits in Microsoft Teams**

This Query is oriented to identify Malicious URL sent via Microsoft Teams and detect possible hits.

```
//UrlHaus Abuse.ch Hits in Microsoft Teams
let URLHausOnlineRAW = externaldata (UHFeed:string) ["https://urlhaus.abuse.ch/downloads/csv_online/"] with(format="txt")
| where UHFeed !startswith "#"
| extend UHRAW=replace_string(UHFeed, '"', '')
| project splitted=split(UHRAW, ',')
| mv-expand id=splitted[0], dateadded=splitted[1], UHUrl=splitted[2], UHurl_status=splitted[3], UHlast_onlin=splitted[4], UHthreat=splitted[5], UHtags=splitted[6], UHLink=splitted[7], UHReporter=splitted[8]
| extend UHUrl = tostring(UHUrl);
 CloudAppEvents 
| where Application has "Microsoft Teams"
| extend MessageURLs = tostring(todynamic(RawEventData).MessageURLs)
| extend MessageURLs_ = substring(MessageURLs, 2, strlen(MessageURLs) - 4)
| join kind=inner URLHausOnlineRAW on $left.MessageURLs_ == $right.UHUrl
```

Explanation

This query is designed to identify malicious URLs that have been sent via Microsoft Teams by cross-referencing them with a list of known malicious URLs from the UrlHaus database. Here's a simplified breakdown of what the query does:

  1. Fetch Malicious URLs: It retrieves a list of currently active malicious URLs from the UrlHaus database, which is a known source for tracking malicious URLs. The data is fetched in a CSV format from a specified URL.

  2. Data Cleaning and Preparation: The query processes the fetched data by removing any lines that start with a "#" (which are typically comments) and removes any quotation marks. It then splits each line of the CSV into separate fields such as ID, date added, URL, status, last online date, threat type, tags, link, and reporter.

  3. Extract Microsoft Teams Data: It accesses the CloudAppEvents table to find events related to Microsoft Teams. Specifically, it looks for URLs that have been sent in messages.

  4. URL Matching: The query extracts URLs from the Teams messages and cleans them up for comparison. It then performs an inner join between the URLs found in Teams messages and the malicious URLs from UrlHaus to identify any matches.

  5. Result: If there are any matches, it indicates that a malicious URL from the UrlHaus list has been sent via Microsoft Teams, which could be a potential security threat.

In summary, this query helps detect if any known malicious URLs have been shared through Microsoft Teams by comparing them against a database of such URLs.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 18, 2024

Tables

CloudAppEvents

Keywords

UrlMicrosoftTeamsCloudAppEvents

Operators

letexternaldatawhereextendreplace_stringprojectsplitmv-expandtostringCloudAppEventshastodynamicsubstringstrlenjoin

Actions