TI Threatviewio Feed In Email Url Info
Query
//Based on Query from Bert-Jan P #thx
//https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/401f5fe662453450f9c4051189dfcde9f1063086/Threat%20Hunting/TI%20Feed%20-%20ThreatviewioIP-High-Confidence-Feed.md?plain=1#L4
let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True)
| project Domain = tolower(Domain);
EmailUrlInfo
| join kind=inner ThreatIntelFeed on $left.Url == $right.Domain
| join EmailEvents on NetworkMessageIdExplanation
This query is using threat intelligence data from a feed to check if any URLs in email events match known malicious domains. It then joins this information to identify any potential threats in email events.
Details

Benjamin Zulliger
Released: June 7, 2024
Tables
EmailUrlInfoThreatIntelFeedEmailEvents
Keywords
EmailUrlInfoThreatIntelFeedEmailEventsNetworkMessageId
Operators
joinkindinnerprojecttoloweron$leftUrl$rightDomain