DigitalSide Threat-Intel suspicious and/or malicious domains
TI Feed Digital Side Domains
Query
let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl has_any (ThreatIntelFeed)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountNameAbout this query
DigitalSide Threat-Intel suspicious and/or malicious domains
Source: DigitalSide Threat-Intel
Feed information: https://osint.digitalside.it/
Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
Defender XDR
Sentinel
let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl has_any (ThreatIntelFeed)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
Explanation
This query is designed to identify suspicious or malicious domains from network events by using a threat intelligence feed from DigitalSide. Here's a simple breakdown of what each part does:
-
Threat Intelligence Feed: The query starts by loading a list of potentially harmful domains from an external source provided by DigitalSide. This list is accessed via a URL and is formatted as a text file.
-
Device Network Events: The query then examines network events recorded by devices. It looks specifically at the URLs that devices have connected to.
-
Filtering: The query filters these network events to find any instances where the device connected to a URL that matches one of the domains in the threat intelligence feed.
-
Projection: For any matching events, the query extracts and displays specific details, including:
- The timestamp of the event.
- The URL and IP address the device connected to.
- The name of the device.
- Information about the process that initiated the connection, such as the command line used, the file name, and the account domain and name.
The difference between the two queries (Defender XDR and Sentinel) is minimal, with the main distinction being the field name for the timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel). Both queries serve the same purpose of identifying potentially harmful connections based on the threat intelligence feed.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators