-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
DefenderXDR Weekly OSINT Indicators Scan.kql
- Loading branch information
Showing
1 changed file
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| // DefenderXDR Weekly OSINT Indicators Scan | ||
|
|
||
| let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string) | ||
| [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/WeeklyOSINTHightlights17Feb2025.csv']; | ||
| let OSINTSHA256 = | ||
| WeeklyOSINT | ||
| | where Type == "hash_sha256" | ||
| | project Value; | ||
| let OSINTSHA1 = | ||
| WeeklyOSINT | ||
| | where Type == "hash_sha1" | ||
| | project Value; | ||
| let OSINTMD5 = | ||
| WeeklyOSINT | ||
| | where Type == "hash_md5" | ||
| | project Value; | ||
| let OSINTDOMAIN = | ||
| WeeklyOSINT | ||
| | where Type == "domain" | ||
| | project Value; | ||
| let OSINTURL = | ||
| WeeklyOSINT | ||
| | where Type == "url" | ||
| | project Value; | ||
| let OSINTIP = | ||
| WeeklyOSINT | ||
| | where Type == "ip" | ||
| | project Value; | ||
| let ScanEmailAttachments = | ||
| EmailAttachmentInfo | ||
| | where Timestamp > ago(30d) | ||
| | where SHA256 has_any(OSINTSHA256); | ||
| let ScanEmailURLs = | ||
| EmailUrlInfo | ||
| | where Timestamp > ago(30d) | ||
| | where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL); | ||
| let ScanEndpointFiles = | ||
| DeviceFileEvents | ||
| | where Timestamp > ago(30d) | ||
| | where ActionType == "FileCreated" | ||
| | where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256); | ||
| let ScanEndpointNetwork1 = | ||
| DeviceNetworkEvents | ||
| | where Timestamp > ago(30d) | ||
| | where ActionType == "ConnectionSuccess" | ||
| | where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN); | ||
| let ScanEndpointNetwork2 = | ||
| DeviceNetworkEvents | ||
| | where Timestamp > ago(30d) | ||
| | where ActionType == "HttpConnectionInspected" | ||
| | extend ConnectInfo = todynamic(AdditionalFields) | ||
| | extend HttpHost = ConnectInfo.host | ||
| | where HttpHost has_any(OSINTDOMAIN); | ||
| union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2 | ||
|
|