Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Detection Rule using known bad email domains/addresses

Copper Contributor

Hi Folks,

 

I wrote a query for detecting PowerShell activity when a user clicks on a links coming form known bad email addresses/domains.

 

My query works for a single email/domain, I was trying to find a way to convert this into a detection rule where all the domains/addresses we collect from Threat Intelligence sources can be constantly monitored for all onboarded devices.

 

I'm struggling to figure out how to funnel all the collected domains into the query. 

 

Really appreciate any guidance/help on this.

0 Replies