Browser Domains Device Network Events
Query
let BrowserDomains = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Browser%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = BrowserDomains
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
//| where RemoteUrl != "dl.google.com" // if you allow google chrome, comment in this line
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.Explanation
This query is designed to identify network events involving specific domains listed in an external CSV file. Here's a simple breakdown of what it does:
-
Load External Data: It imports a list of domains from an external CSV file hosted on GitHub. This file contains indicators of compromise (IOCs) related to browser activities.
-
Extract Domain List: It extracts the domain names (IndicatorValue) from the imported data for further analysis.
-
Filter Network Events: It examines device network events from the last 90 days to find any events where the remote URL matches one of the domains from the list.
-
Optional Filtering: There's a commented-out line that, if activated, would exclude events related to "dl.google.com" from the results, which might be useful if Google Chrome is allowed in the environment.
-
VirusTotal Links: For each matching event, it creates a link to VirusTotal for the domain, which can be used for further investigation.
-
Summarize Results: It summarizes the findings by counting the occurrences of each domain in the network events and provides a link to VirusTotal for each domain.
-
Next Steps: After analyzing the results, it suggests visiting the GitHub repository to download the CSV file and consider uploading it to Microsoft Defender for Endpoint (MDE) to block the identified domains, while ensuring to remove any domains that are legitimate and not a threat.
Details

Jay Kerai
Released: January 31, 2025
Tables
Keywords
Operators