EXPLORE
Sign In
← Back to Explore
kqlHunting

ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits

Looks for Network Traffic hits from the ROSTI Feed

Detection Query

//Looks for Network Traffic hits from the ROSTI Feed
//Source: https://rosti.bin.re/feeds
let RostiBinIOCs = externaldata(type: string, IndicatorValue: string)[@"https://sduixpgwciwivgpuisyf.supabase.co/storage/v1/object/public/bulk-exports/mde-all.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = RostiBinIOCs
| where type == "DomainName" or type == "Url"
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain

Data Sources

DeviceNetworkEvents

Platforms

windows

Tags

defenderti-feedioc
Raw Content
//Looks for Network Traffic hits from the ROSTI Feed
//Source: https://rosti.bin.re/feeds
let RostiBinIOCs = externaldata(type: string, IndicatorValue: string)[@"https://sduixpgwciwivgpuisyf.supabase.co/storage/v1/object/public/bulk-exports/mde-all.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = RostiBinIOCs
| where type == "DomainName" or type == "Url"
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain