KQL Search

Query Details

HomeAI ToolsDevice Query

C2intel Feeds I Ps

Query

Tags:

Query:
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemoteIP  in ((externaldata(IP: string ) [@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"]
with (format=csv, ignoreFirstRecord=true) | distinct  IP
))
| where InitiatingProcessFileName !in ("Google Chrome Helper","chrome.exe","firefox.exe","msedge.exe","opera.exe")

References:

Explanation

Sure! Here's a simple summary of the query:

  1. Source Table: The query is looking at data from the DeviceNetworkEvents table.
  2. Filter for Public IPs: It filters the events to only include those where the RemoteIPType is "Public".
  3. Check Against External List: It then checks if the RemoteIP is in a list of IP addresses from an external CSV file hosted on GitHub. This file contains potentially malicious IP addresses.
  4. Exclude Certain Processes: Finally, it excludes events where the initiating process is one of several common web browsers (like Chrome, Firefox, Edge, and Opera).

In essence, this query identifies network events involving public IP addresses that match a list of suspicious IPs, but it ignores events initiated by common web browsers.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 13, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPTypeRemoteIPExternalDataInitiatingProcessFileName

Operators

DeviceNetworkEvents|where==inexternaldata(:string)[@withformat=csvignoreFirstRecordtruedistinct!in

Actions