Identities Bad Reputation ASN Activities
Query
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let Malicious_ASN= (externaldata (asn:string)['https://www.spamhaus.org/drop/asndrop.json']with(format="multijson"));
IdentityLogonEvents
| evaluate ipv4_lookup(CIDRASN, IPAddress , CIDR, return_unmatched=true)
| extend GeoIPData = geo_info_from_ip_address(IPAddress)
| where isnotempty( CIDR)
| extend asn_info = tostring(CIDRASN)
//| where ActionType has "LogonSuccess"
| join kind=inner (Malicious_ASN) on $left.asn_info == $right.asnAbout this query
Identities Bad Reputation ASN activities
Description: This new query generates additional information using ASN/CIDR info from 'Firewall IP Lists @ Gyp the Cat dot Com' site (which takes data provided by other services and formats them) combined with a 'Bad ASN Rate/Reputation' source from the well-known source SpamHaus. As a result, it will show if some user sign-in attempt was trigger from a SenderIP address related to the mentioned ASN's and it can be filtered to just show the 'LoginSuccess' cases:
Explanation
This query is designed to identify potentially malicious user sign-in attempts based on IP address information. Here's a simplified breakdown of what it does:
-
Data Sources:
- It uses two external data sources:
- A list of IP address ranges (CIDR) and their associated Autonomous System Numbers (ASN) from a site called 'Firewall IP Lists @ Gyp the Cat dot Com'.
- A list of ASNs with bad reputations from SpamHaus, a well-known source for identifying malicious networks.
- It uses two external data sources:
-
Process:
- The query first loads the CIDR and ASN data from the external source.
- It also loads the list of malicious ASNs from SpamHaus.
- It then looks up the ASN information for each IP address in the
IdentityLogonEventstable. - It enriches the data with geographical information based on the IP address.
- It filters out any entries where the CIDR information is not available.
- It extends the data with ASN information.
-
Join Operation:
- The query performs an inner join between the enriched logon events and the list of malicious ASNs. This means it only keeps records where the ASN from the logon event matches an ASN in the malicious list.
-
Outcome:
- The result is a list of user sign-in attempts where the IP address is associated with an ASN that has a bad reputation, indicating potential malicious activity.
-
Optional Filtering:
- There's a commented-out line (
//| where ActionType has "LogonSuccess") that, if uncommented, would filter the results to show only successful login attempts.
- There's a commented-out line (
In summary, this query helps identify potentially risky user sign-ins by checking if the IP addresses involved are linked to networks known for malicious activity.
Details

Sergio Albea
Released: October 10, 2025
Tables
Keywords
Operators