KQL Search

Query Details

Communication To Threatintelconz Feed IP

Query

// Communication to threatintel.co.nz Feed (https://www.threatintel.co.nz/ioc-feeds/)
let threatintelconzraw = externaldata(IPaddr: string)[@"https://www.threatintel.co.nz/wp-content/uploads/IP"] with (format="txt", ignoreFirstRecord=True);
let threatintelconzIPv4 = threatintelconzraw
| extend IPv4 = extract_all(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", IPaddr)[0];
DeviceNetworkEvents
| where RemoteIP has_any (threatintelconzIPv4)

Explanation

This query is pulling data from a threat intelligence feed from threatintel.co.nz that contains a list of IP addresses. It then extracts the IPv4 addresses from the feed and checks if any of these IP addresses are present in the DeviceNetworkEvents data.

Details

Benjamin Zulliger

Released: June 7, 2024

Tables

threatintelconzraw

Keywords

DeviceNetworkEvents,RemoteIP,threatintelconzIPv4,IPaddr,IPv4

Operators

externaldataextendextract_allwherehas_any

KQL Search

Communication To Threatintelconz Feed IP

Query

Explanation

Details

Actions