Website Redirectors Device Network Events
Query
let WebsiteRedirectors = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/WebsiteRedirectors.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = WebsiteRedirectors
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domainExplanation
This query is designed to analyze network events related to potentially malicious website redirects over the past 90 days. Here's a simple breakdown of what it does:
-
Load Data: It starts by loading a list of potentially harmful website redirectors from an external CSV file hosted on GitHub. This list is stored in a table called
WebsiteRedirectors. -
Extract Domain List: From this table, it extracts the
IndicatorValuecolumn, which contains the domain names of these redirectors, and stores them in a list calledDomainList. -
Filter Network Events: The query then looks at network events from the last 90 days (
DeviceNetworkEvents) and filters them to find events where theRemoteUrl(the URL accessed by a device) matches any domain in theDomainList. -
Create VirusTotal Links: For each matching event, it creates a link to VirusTotal, a website that provides information about the safety of domains. This link is stored in a new column called
VT_domain. -
Summarize Results: Finally, it summarizes the data by counting how many times each
RemoteUrlappears in the filtered events, along with its corresponding VirusTotal link.
In essence, this query helps identify and count the number of times devices in the network have accessed potentially harmful websites, providing a quick way to investigate these domains further using VirusTotal.
Details

Jay Kerai
Released: April 15, 2025
Tables
Keywords
Operators