Ottercookie Detection
Query
// https://any.run/cybersecurity-blog/ottercookie-malware-analysis/
let QueryLookup = 1h;
let CompressData =
DeviceFileEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName has "tar"
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "HttpConnectionInspected"
| where parse_json(AdditionalFields)["direction"] == 'Out'
| where parse_json(AdditionalFields)["status_code"] == '200'
| extend GeoCtry = tostring(geo_info_from_ip_address(RemoteIP).country)
| where GeoCtry == "United States"
| where RemotePort == "1224"
| where DeviceName has_any(CompressData)Explanation
This KQL (Kusto Query Language) query is designed to detect potential malicious activity on devices by analyzing file creation and network events. Here's a simplified explanation:
-
Time Frame: The query looks at events from the past hour (
1h). -
File Creation Check:
- It examines
DeviceFileEventsto find instances where a file was created (ActionType == "FileCreated"). - It specifically looks for files created by processes with "tar" in their name, which might indicate file compression or archiving activity.
- It collects a list of distinct device names where such file creation events occurred.
- It examines
-
Network Activity Check:
- It examines
DeviceNetworkEventsto find HTTP connections that were inspected (ActionType == "HttpConnectionInspected"). - It filters for outgoing connections (
"direction" == 'Out') with a successful status code ("status_code" == '200'). - It further filters these events to those where the connection was made to the United States (
GeoCtry == "United States") and used port 1224 (RemotePort == "1224"). - Finally, it checks if these network events are associated with any of the devices identified in the file creation check (
DeviceName has_any(CompressData)).
- It examines
In summary, this query is looking for devices that have created files using a "tar" process and have also made specific outgoing HTTP connections to the United States on port 1224, which could indicate suspicious behavior related to data exfiltration or malware activity.
Details

Steven Lim
Released: June 4, 2025
Tables
DeviceFileEventsDeviceNetworkEvents
Keywords
DeviceFileEventsNetworkGeoInfoRemoteIPAddress
Operators
letago()|where==hasdistinctparse_json()extendtostring()geo_info_from_ip_address()has_any()