← Back to Explore
kqlHunting
Personal Messaging Domains - DeviceNetworkEvents
This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE
Detection Query
//This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE
let ChatIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/ChatSites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = ChatIOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl,VT_domain //,DeviceName, InitiatingProcessAccountUpnData Sources
DeviceNetworkEvents
Platforms
windows
Tags
defenderioc
Raw Content
//This Query looks for the usage of chat websites. Once you have hunted considering downloading the list from https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/ChatSites.csv and uploading to Indicators in MDE
let ChatIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/ChatSites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = ChatIOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList)
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl,VT_domain //,DeviceName, InitiatingProcessAccountUpn