KQL Search

Query Details

HomeAI ToolsDevice Query

Check If Defender Easm Ips Or Hosts Are Mentioned In Ddosia Project Current Configuration

Query

# Check if Defender EASM IPs or Hosts are mentioned in DDosia Project current configuration

## Description

The following query will check the DDoSia latest configuration to match IPs and Domains that are part of organization's Defender EASM. As a prerequisite, Defender EASM connector should be enabled in Microsoft Sentinel.

### References
- https://witha.name/

### Microsoft Sentinel
```
let DDosiaIntelligence = externaldata(host: string, ip: string)[@"https://witha.name/data/last.csv"] 
    with (format="csv", ignoreFirstRecord=True);
let ddosia_data = DDosiaIntelligence
    | summarize by host, ip
    | extend ddosia_clean_host = replace(@"^www\.", "", host) // Remove www. to match EASM Domain_s
    | project-rename ddosia_host=ddosia_clean_host, ddosia_ip=ip;
// Check if there is an IP match
let ip_query = ddosia_data
| join kind=inner (
    EasmHostAsset_CL 
    | extend individual_ip = parse_json(IpAddresses_s)
    | mv-expand individual_ip // Expand all available IPs related to a Domain in EASM
    | extend IpAddresses_s_ = tostring(individual_ip)
    | project TimeGenerated, IpAddresses_s_
) 
on $left.ddosia_ip == $right.IpAddresses_s_;
// Check if there is a Host/Domain match
let host_query = ddosia_data
| join kind=inner (
    EasmHostAsset_CL 
    | extend asset_host = tostring(parse_json(Domain_s))
    | project TimeGenerated, asset_host
)
on $left.ddosia_host == $right.asset_host;
// Combine all results using the union operator
ip_query
| union host_query
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 09/04/2025    | Initial publish                        |

Explanation

This query is designed to check if any IP addresses or hostnames (domains) from the latest configuration of the DDoSia project are part of an organization's Defender External Attack Surface Management (EASM) assets. Here's a simplified breakdown of what the query does:

  1. Data Retrieval: It pulls the latest data from an external source (a CSV file) containing hostnames and IP addresses related to the DDoSia project.

  2. Data Preparation:

    • It processes this data to remove any "www." prefixes from hostnames to ensure they match the format used in the EASM data.
    • It renames the columns for clarity.

  3. IP Address Matching:

    • It checks if any IP addresses from the DDoSia data match the IP addresses associated with the organization's EASM assets.
    • This is done by expanding all IPs related to a domain in the EASM data and comparing them with the DDoSia IPs.

  4. Hostname/Domain Matching:

    • It checks if any hostnames from the DDoSia data match the domains listed in the organization's EASM assets.

  5. Result Compilation:

    • It combines the results of both IP and hostname matches to provide a comprehensive list of any overlaps between the DDoSia configuration and the organization's EASM assets.

This query is useful for identifying potential threats or overlaps between known malicious configurations and the organization's external attack surface, helping in proactive threat management.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: April 9, 2025

Tables

DDosiaIntelligenceEasmHostAsset_CL

Keywords

DefenderEASMIPsHostsDDosiaProjectConfigurationOrganizationMicrosoftSentinel

Operators

letexternaldatawithformatignoreFirstRecordsummarizebyextendreplaceproject-renamejoinkindinnerparse_jsonmv-expandtostringprojectonunion

Actions