Teams Threat Intelligence Indicator Hit for Domain or URL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This rule detects and alerts on known threats in Teams messages when a contained domain or URL matches a Microsoft Defender Threat Intelligence indicator (of type 'Domain' or 'URL')

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	2e7cda70-c3cd-4173-945e-6b5c14b05817
Tactics	InitialAccess
Techniques	T1566
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
MessageEvents	?	✗	?
MessageUrlInfo	?	✗	?
ThreatIntelIndicators	✓	✓	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CrowdStrikeFalconAdversaryIntelligence	CrowdStrike Falcon Endpoint Protection
CyjaxIOCAPI	Cyjax
LumenThreatFeedConnectorV2	Lumen Defender Threat Feed
LumenThreatFeedConnectorV2PrivateNetworking	Lumen Defender Threat Feed
MicrosoftDefenderThreatIntelligence	Threat Intelligence
PremiumMicrosoftDefenderForThreatIntelligence	Threat Intelligence
ThreatIntelligence	Threat Intelligence
ThreatIntelligenceTaxii	Threat Intelligence
ThreatIntelligenceUploadIndicatorsAPI	Threat Intelligence

Solutions: CrowdStrike Falcon Endpoint Protection, Cyjax, Lumen Defender Threat Feed, Threat Intelligence

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries