Command & Control intel Feeds (Domain Based)
TI Feed C2URL Feed Filter Abuse
Query
// Collect Remote data
let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP-filter-abused.csv"] with (format="csv", ignoreFirstRecord=True);
// Generate list that can be used to filter DeviceNetworkEvents
let DomainList = C2IntelFeeds
| distinct Domain;
DeviceNetworkEvents
// Filter only on C2 Domains
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (DomainList)
// Lookup the C2IntelFeed information.
| lookup C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrlAbout this query
Explanation
This query is designed to detect potential Command & Control (C2) activities by analyzing network events against a known list of malicious domains. Here's a simple breakdown of what the query does:
-
Data Collection: It pulls in data from an external CSV file that contains information about known C2 domains, URLs, and IP addresses. This file is hosted on GitHub.
-
Domain List Creation: It extracts a distinct list of domains from the imported data. This list is used to filter network events.
-
Event Filtering: It examines network events (specifically,
DeviceNetworkEvents) to identify any events where the remote URL matches any of the domains in the list of known C2 domains. -
Information Lookup: For any matching events, it performs a lookup to gather additional information from the C2 data, specifically matching on the IP address.
-
Geolocation Enrichment: It enriches the data with geolocation information based on the remote IP address, extracting details like country, state, city, latitude, and longitude.
-
Data Presentation: Finally, it organizes and presents the relevant information, such as the timestamp, device name, remote IP, remote port, and remote URL, in a specific order for easier analysis.
The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the field names used for timestamps.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators