DefenderXDR Weekly OSINT Indicators Scan 24022025.kql

DefenderXDR/DefenderXDR Weekly OSINT Indicators Scan 24022025.kql

@@ -0,0 +1,57 @@
+// DefenderXDR Weekly OSINT Indicators Scan
+
+// https://www.linkedin.com/posts/0x534c_cybersecurity-osint-defenderxdr-activity-7297886477198180353-K_0Y/
+// https://security.microsoft.com/intel-explorer/articles/681e9886
+
+let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
+[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights24Feb2025.csv'];
+let OSINTSHA256 =
+WeeklyOSINT
+| where Type == "hash_sha256"
+| project Value;
+let OSINTSHA1 =
+WeeklyOSINT
+| where Type == "hash_sha1"
+| project Value;
+let OSINTMD5 =
+WeeklyOSINT
+| where Type == "hash_md5"
+| project Value;
+let OSINTDOMAIN =
+WeeklyOSINT
+| where Type == "domain"
+| project Value;
+let OSINTURL =
+WeeklyOSINT
+| where Type == "url"
+| project Value;
+let OSINTIP =
+WeeklyOSINT
+| where Type == "ip"
+| project Value;
+let ScanEmailAttachments =
+EmailAttachmentInfo
+| where Timestamp > ago(30d)
+| where SHA256 has_any(OSINTSHA256);
+let ScanEmailURLs =
+EmailUrlInfo
+| where Timestamp > ago(30d)
+| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
+let ScanEndpointFiles =
+DeviceFileEvents
+| where Timestamp > ago(30d)
+| where ActionType == "FileCreated"
+| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
+let ScanEndpointNetwork1 =
+DeviceNetworkEvents
+| where Timestamp > ago(30d)
+| where ActionType == "ConnectionSuccess"
+| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
+let ScanEndpointNetwork2 =
+DeviceNetworkEvents
+| where Timestamp > ago(30d)
+| where ActionType == "HttpConnectionInspected"
+| extend ConnectInfo = todynamic(AdditionalFields)
+| extend HttpHost = ConnectInfo.host
+| where HttpHost has_any(OSINTDOMAIN);
+union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2