EXPLORE
Sign In
← Back to Explore
kqlHunting

Potentially Ungoverned AI Domains such as chatgpt

This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents

Detection Query

//This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents
let UngoverenedAI_IOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/PotentiallyUngovernedAITools.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = UngoverenedAI_IOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d) //| where Timestamp > ago(30d)  - if using Advanced Huntng use Timestamp instead of TimeGenerated
| where RemoteUrl in~(DomainList )
| summarize count() by RemoteUrl
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.

Data Sources

DeviceNetworkEvents

Platforms

windows

Tags

defenderhuntingioc
Raw Content
//This Query looks for usage of ungoverned AI Usage by using DeviceNetworkEvents
let UngoverenedAI_IOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/PotentiallyUngovernedAITools.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = UngoverenedAI_IOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d) //| where Timestamp > ago(30d)  - if using Advanced Huntng use Timestamp instead of TimeGenerated
| where RemoteUrl in~(DomainList )
| summarize count() by RemoteUrl
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.