Query Details

Email TI Url Listed On Threatfox In Email Url Info

Query

//This Query detects Url listed on abuse.ch Threatfox Feed in EmailUrlInfo
let TwitterFeed_today = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv"];
let TwitterFeed_week = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"];
let TwitterFeed_month = externaldata (Date: string, Src: string, Art: string, Value: string) ["https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"];
EmailUrlInfo 
| join EmailEvents on NetworkMessageId
| join (TwitterFeed_today
| where Art == "url"
) on $left.Url == $right.Value
| join (TwitterFeed_week
| where Art == "url"
) on $left.Url == $right.Value
| join (TwitterFeed_month
| where Art == "url"
) on $left.Url == $right.Value

Explanation

This query is designed to detect URLs in email data that are listed in a threat intelligence feed. Here's a simplified breakdown:

  1. Data Sources: The query pulls in three external data sources representing URLs flagged as threats on different time scales:

    • TwitterFeed_today: URLs flagged today.
    • TwitterFeed_week: URLs flagged this week.
    • TwitterFeed_month: URLs flagged this month.
  2. Email Data: It uses data from EmailUrlInfo and EmailEvents, which contain information about URLs found in emails and related email events.

  3. Joining Data: The query performs a series of joins:

    • It first joins EmailUrlInfo with EmailEvents using a common identifier (NetworkMessageId).
    • Then, it checks if any URLs from the emails match URLs listed in the daily, weekly, and monthly threat feeds. This is done by joining on the URL field (Url in the email data and Value in the threat feeds) and filtering for entries where the type (Art) is "url".
  4. Purpose: The goal is to identify any URLs in emails that are also present in the threat feeds, indicating potential security threats or malicious activity.

Details

User Submission profile picture

User Submission

Released: November 10, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoEventsNetworkMessageIdTwitterFeed

Operators

letexternaldataon|joinwhere==$left$right

Actions

GitHub