Query Details
Website Redirectors Device Network Events
Query
let WebsiteRedirectors = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/WebisteRedirectors.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = WebsiteRedirectors | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList ) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl, VT_domain
Explanation
This KQL (Kusto Query Language) query is designed to analyze network events related to website redirects. Here's a simplified breakdown of what the query does:
-
Data Import: It starts by importing a list of website redirectors from an external CSV file hosted on GitHub. This file contains two columns:
typeandIndicatorValue, but only theIndicatorValue(which represents domain names) is used. -
Domain List Extraction: The query extracts the
IndicatorValuecolumn from the imported data to create a list of domains (DomainList). -
Event Filtering: It then examines network events (
DeviceNetworkEvents) from the last 90 days. -
Domain Matching: The query filters these events to find instances where the
RemoteUrl(the URL accessed during the network event) matches any domain in theDomainList. -
VirusTotal URL Creation: For each matching event, it creates a URL that links to the VirusTotal page for that domain. This is done using the
extendoperator to add a new column (VT_domain) that contains the VirusTotal URL. -
Event Summarization: Finally, the query summarizes the data by counting the number of events for each
RemoteUrland its corresponding VirusTotal URL.
In essence, this query identifies and counts network events involving specific website redirects from a predefined list, and provides links to their VirusTotal analysis pages.
Details
Jay Kerai
Released: March 15, 2025
Tables
Keywords
Operators