EXPLORE
Sign In
← Back to Explore
kqlHunting

CloudWorker Abuse Detection

This query detects network connections to known malicious Cloudflare workers

Detection Query

//This query detects network connections to known malicious Cloudflare workers
let NetskopeCloudflareWorkers = externaldata(Url: string)[@"https://raw.githubusercontent.com/netskopeoss/NetskopeThreatLabsIOCs/main/Phishing/CloudflareWorkers/IOCs/README.md"] with (format="csv", ignoreFirstRecord=True);
let CloudFlareWorkers = NetskopeCloudflareWorkers
| where Url <> "```text" //ParseOutJunk
| where Url <> "- **URLs**"
| where Url <> "```"
| extend domain = split(Url,'/')
| extend RemoteUrl = replace_string(strcat(domain[1],domain[2]),'[.]','.')
| distinct RemoteUrl; 
DeviceNetworkEvents
| where RemoteUrl in (CloudFlareWorkers) //example, use as you please 
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)

Data Sources

DeviceNetworkEvents

Platforms

windows

Tags

defenderioc
Raw Content
//This query detects network connections to known malicious Cloudflare workers
let NetskopeCloudflareWorkers = externaldata(Url: string)[@"https://raw.githubusercontent.com/netskopeoss/NetskopeThreatLabsIOCs/main/Phishing/CloudflareWorkers/IOCs/README.md"] with (format="csv", ignoreFirstRecord=True);
let CloudFlareWorkers = NetskopeCloudflareWorkers
| where Url <> "```text" //ParseOutJunk
| where Url <> "- **URLs**"
| where Url <> "```"
| extend domain = split(Url,'/')
| extend RemoteUrl = replace_string(strcat(domain[1],domain[2]),'[.]','.')
| distinct RemoteUrl; 
DeviceNetworkEvents
| where RemoteUrl in (CloudFlareWorkers) //example, use as you please 
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)