Skip to content

Latest commit

 

History

History
38 lines (34 loc) · 1.57 KB

TI Feed - ThreatfoxMalwareDomains.md

File metadata and controls

38 lines (34 loc) · 1.57 KB
Raw

ThreatFox Malware Domains

Source: ThreatFox

Feed information: https://threatfox.abuse.ch/faq/#tos

Feed link: https://threatfox.abuse.ch/downloads/hostfile/

Defender For Endpoint

let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     | take 10000 // Max Size allowed
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Sentinel

let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MalwareDomains = materialize (
     ThreatIntelFeed
     | where LineInfo matches regex IPRegex
     | extend domain = extract(@'127.0.0.1(.*)\b', 1 , LineInfo)
     | distinct domain
     | take 10000 // Max Size allowed
     );
DeviceNetworkEvents
| where RemoteUrl has_any (MalwareDomains)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName