KQL Search

Query Details

HomeAI ToolsDevice Query

Identities Bad Reputation ASN Activities

Query

**Identities Bad Reputation ASN activities**

**Description**: This new query generates additional information using ASN/CIDR info from 'Firewall IP Lists @ Gyp the Cat dot Com' site (which takes data provided by other services and formats them) combined with a 'Bad ASN Rate/Reputation' source from the well-known source SpamHaus. As a result, it will show if some user sign-in attempt was trigger from a SenderIP address related to the mentioned ASN's and it can be filtered to just show the 'LoginSuccess' cases:

```
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let Malicious_ASN= (externaldata (asn:string)['https://www.spamhaus.org/drop/asndrop.json']with(format="multijson"));
IdentityLogonEvents
| evaluate ipv4_lookup(CIDRASN, IPAddress , CIDR, return_unmatched=true)
| extend GeoIPData = geo_info_from_ip_address(IPAddress)
| where isnotempty( CIDR)
| extend asn_info = tostring(CIDRASN)
//| where ActionType has "LogonSuccess"
| join kind=inner (Malicious_ASN) on $left.asn_info == $right.asn
```

Explanation

This query is designed to identify potentially malicious user sign-in attempts based on IP address information. Here's a simplified breakdown of what it does:

  1. Data Sources:

    • It uses two external data sources:
      • A list of IP address ranges (CIDR) and their associated Autonomous System Numbers (ASN) from a site called 'Firewall IP Lists @ Gyp the Cat dot Com'.
      • A list of ASNs with bad reputations from SpamHaus, a well-known source for identifying malicious networks.

  2. Process:

    • The query first loads the CIDR and ASN data from the external source.
    • It also loads the list of malicious ASNs from SpamHaus.
    • It then looks up the ASN information for each IP address in the IdentityLogonEvents table.
    • It enriches the data with geographical information based on the IP address.
    • It filters out any entries where the CIDR information is not available.
    • It extends the data with ASN information.

  3. Join Operation:

    • The query performs an inner join between the enriched logon events and the list of malicious ASNs. This means it only keeps records where the ASN from the logon event matches an ASN in the malicious list.

  4. Outcome:

    • The result is a list of user sign-in attempts where the IP address is associated with an ASN that has a bad reputation, indicating potential malicious activity.

  5. Optional Filtering:

    • There's a commented-out line (//| where ActionType has "LogonSuccess") that, if uncommented, would filter the results to show only successful login attempts.

In summary, this query helps identify potentially risky user sign-ins by checking if the IP addresses involved are linked to networks known for malicious activity.

Details

Sergio Albea profile picture

Sergio Albea

Released: October 10, 2025

Tables

IdentityLogonEvents

Keywords

IdentitiesASNReputationUserIPAddressGeoIPData

Operators

letexternaldatawithevaluateipv4_lookupextendgeo_info_from_ip_addresswhereisnotemptytostringjoinon

Actions