Query Details

Command & Control intel Feeds (Domain Based)

TI Feed C2URL Feed Filter Abuse

Query

// Collect Remote data
let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP-filter-abused.csv"] with (format="csv", ignoreFirstRecord=True);
// Generate list that can be used to filter DeviceNetworkEvents
let DomainList = C2IntelFeeds
| distinct Domain;
DeviceNetworkEvents
// Filter only on C2 Domains
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (DomainList)
// Lookup the C2IntelFeed information.
| lookup C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl

About this query

Explanation

This query is designed to detect potential Command & Control (C2) activities by analyzing network events against a known list of malicious domains. Here's a simple breakdown of what the query does:

  1. Data Collection: It pulls in data from an external CSV file that contains information about known C2 domains, URLs, and IP addresses. This file is hosted on GitHub.

  2. Domain List Creation: It extracts a distinct list of domains from the imported data. This list is used to filter network events.

  3. Event Filtering: It examines network events (specifically, DeviceNetworkEvents) to identify any events where the remote URL matches any of the domains in the list of known C2 domains.

  4. Information Lookup: For any matching events, it performs a lookup to gather additional information from the C2 data, specifically matching on the IP address.

  5. Geolocation Enrichment: It enriches the data with geolocation information based on the remote IP address, extracting details like country, state, city, latitude, and longitude.

  6. Data Presentation: Finally, it organizes and presents the relevant information, such as the timestamp, device name, remote IP, remote port, and remote URL, in a specific order for easier analysis.

The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the field names used for timestamps.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

CommandControlIntelFeedsDomainDevicesNetworkEventsRemoteDataGeoIPInformation

Operators

externaldatawithdistinctextendtolowerwherehas_anylookupongeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub