Did you know the DefenderXDR portal’s threat intelligence section offers a weekly download of OSINT indicators? I’ve created a powerful KQL automation that reads and exports the OSINT CSV file. My KQL code will then load the OSINT indicators (including file hashes like MD5, SHA1, and SHA256, as well as domains, IPs, and URLs) and scan them against your EmailAttachmentInfo, EmailUrlInfo, DeviceFileEvents, and DeviceNetworkEvents schemas for the past 30 days in a single KQL query. It returns the UNION of these scanning results. With just one click to export and scan, life couldn’t be easier, right? 💪
For those with direct access to DefenderXDR, I’ve shared the KQL Query URL that can be loaded directly into your advanced hunting. For others, I’ve placed a copy of the code in my GitHub repository for you to copy. Links are provided below.
KQL Query URL:
GitHub Repository:
What Undercode Say:
In the realm of cybersecurity, automation is key to staying ahead of threats. The DefenderXDR Weekly OSINT Indicators Scan using KQL (Kusto Query Language) is a prime example of how automation can streamline threat detection and response. By leveraging OSINT (Open Source Intelligence) indicators, security teams can proactively identify potential threats within their environments. The provided KQL query automates the process of scanning these indicators against various schemas, such as EmailAttachmentInfo, EmailUrlInfo, DeviceFileEvents, and DeviceNetworkEvents, over a 30-day period. This not only saves time but also ensures comprehensive coverage.
For those new to KQL, it’s a powerful query language used in Microsoft’s security products like DefenderXDR and Sentinel. Here are some essential KQL commands to get you started:
1. Search for specific events:
[kql]
DeviceNetworkEvents
| where RemoteIP == “192.168.1.1”
[/kql]
2. Filter by time range:
[kql]
EmailAttachmentInfo
| where Timestamp > ago(7d)
[/kql]
3. Join tables for comprehensive analysis:
[kql]
DeviceFileEvents
| join kind=inner (DeviceNetworkEvents) on DeviceId
[/kql]
4. Count unique events:
[kql]
DeviceNetworkEvents
| summarize count() by RemoteIP
[/kql]
5. Extract file hashes:
[kql]
DeviceFileEvents
| where SHA256 != “”
| project SHA256, FileName
[/kql]
In addition to KQL, here are some Linux and Windows commands that can enhance your cybersecurity practices:
Linux Commands:
- Check open ports:
sudo netstat -tuln
- Monitor network traffic:
sudo tcpdump -i eth0
- Scan for vulnerabilities:
sudo nmap -sV -O 192.168.1.1
Windows Commands:
- List all running processes:
[cmd]
tasklist
[/cmd] - Check network connections:
[cmd]
netstat -an
[/cmd] - Scan for open ports:
[cmd]
netsh advfirewall firewall show rule name=all
[/cmd]
For further reading on KQL and DefenderXDR, consider exploring the following resources:
– Microsoft Defender XDR Documentation
– KQL Quick Reference
By integrating these tools and techniques into your cybersecurity strategy, you can significantly enhance your ability to detect and respond to threats. Automation, combined with a deep understanding of your environment, is the cornerstone of modern cybersecurity. Stay vigilant, stay informed, and keep automating!
References:
Hackers Feeds, Undercode AI
