Rating IS Ps To Detect Potential Malicious Domains Sending Threats
Query
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']with (ignoreFirstRecord=true));
EmailEvents
| evaluate ipv4_lookup(CIDRASN, SenderIPv4, CIDR, return_unmatched=true)
| extend GeoIPData = tostring(geo_info_from_ip_address(SenderIPv4).country)
| summarize Different_IPs=make_set(SenderIPv4), Countries= make_set(GeoIPData), make_set(CIDR), make_set(SenderFromDomain), Total_different_IPs=dcount(SenderIPv4) ,Total_emails = count(),make_set(ThreatTypes),Delivered_on_Inbox= countif(DeliveryLocation has "Inbox/folder"), Email_Threat= count(isnotempty(ThreatTypes)),
Email_Valid = count( isempty(ThreatTypes)) by GeoIPData, CIDR, CIDRASNName
| extend SuspiciousRatio = Email_Threat * 1.0 / Total_emails, ValidRatio = Email_Valid * 1.0 / Total_emails
| extend SuspiciousPercentage = SuspiciousRatio * 100, ValidPercentage = ValidRatio * 100
| order by Email_Threat
| project CIDRASNName,set_SenderFromDomain, set_CIDR, Different_IPs, Countries,Total_different_IPs, set_ThreatTypes,Total_emails, Delivered_on_Inbox, Email_Threat, Email_Valid, SuspiciousPercentage, ValidPercentageAbout this query
Rating ISPs to detect potential malicious domains sending threats
Description: This latest query is oriented to email threats and allows you to rate ISPs to detect:
- ISPs that are using multiple domains to send you threat emails.
- ISPs and domains with a high percentage of malicious emails, and to verify if any were delivered into Inbox folders.
- ISPs using multiple different IP addresses to send you threats.
...and more!
Explanation
This query is designed to analyze email threats by evaluating Internet Service Providers (ISPs) and their associated domains. Here's a simplified breakdown of what the query does:
-
Data Source: It uses an external data source containing CIDR (IP range) and ASN (Autonomous System Number) information to help identify the network details of email senders.
-
Email Event Analysis: It processes email events to:
- Identify ISPs using multiple domains to send potentially malicious emails.
- Determine ISPs and domains with a high percentage of malicious emails.
- Check if any of these emails were delivered to inbox folders.
- Detect ISPs using various IP addresses to send threats.
-
Data Enrichment: The query enriches the email data by adding geographical information based on the sender's IP address.
-
Summarization: It summarizes the data by:
- Listing different IPs and countries associated with each ISP.
- Counting the total number of different IPs and emails.
- Identifying threat types and counting how many emails were delivered to inboxes.
- Calculating the number of emails that were threats versus valid emails.
-
Ratios and Percentages: It calculates the ratio and percentage of suspicious (malicious) versus valid emails for each ISP.
-
Ordering and Projection: The results are ordered by the number of email threats and projected to show key information such as ISP name, domains used, IPs, countries, threat types, and the calculated percentages.
Overall, this query helps identify and rate ISPs based on their involvement in sending potentially malicious emails, providing insights into their behavior and the threat landscape.
Details

Sergio Albea
Released: December 26, 2024
Tables
Keywords
Operators