KQL Search

Query Details

HomeAI ToolsDevice Query

Malicious IS Ps

Query

**Detecting Malicious ISP's**

**Description:** During my  "holidays", I discovered some suspicious ISP in the country where I was and I was wondering if I could detect them using Defender XDR, and indeed, it is possible.
Instead of blocking multiple IP's one by one, which are detected as malicious and consume significant work time, why not block malicious ISP's if all connection attempts from it are malicious ? 
The following query shows the list of ISP's from where there are sign-in attempts, indicating which ones are suspicious and which are not (ISPRate column).
If you discover ISP's with only suspicious IP's, I recommend blocking connections coming from these ISP's.
On the other hand, if you identify some ISP's that are valid, you can "whitelist" them using the line --> | where ISP !in ("vodafone btw") and Location !in ("IR").
Also, be cautious if a provider uses the same name to provide service in multiple countries; usually, their ISP name will have some differences between locations.

```
IdentityLogonEvents
| where Timestamp > ago(1d)
| extend ISPRate = iif(FailureReason contains "locked", "Suspicious","valid")
| where ISP !in ("vodafone btw ") and Location !in ("IT")
| project ISP, Location, IPAddress, AccountDomain, LogonType, FailureReason, ISPRate
| order by ISP
```

Explanation

This query is designed to detect potentially malicious Internet Service Providers (ISPs) based on sign-in attempts recorded in Defender XDR logs. Here's a simplified summary:

  1. Time Frame: It looks at logon events from the past day.
  2. Suspicious Activity: It marks ISPs as "Suspicious" if the failure reason for a logon attempt contains the word "locked". Otherwise, it marks them as "valid".
  3. Filtering: It excludes logon attempts from specific ISPs and locations (e.g., "vodafone btw" and "IT" for Italy).
  4. Output: It lists details such as ISP, location, IP address, account domain, logon type, failure reason, and whether the ISP is suspicious or valid.
  5. Recommendation: If an ISP has only suspicious IPs, consider blocking it. Conversely, valid ISPs can be whitelisted.

In essence, this query helps identify and potentially block ISPs that show only suspicious activity, thereby improving security by reducing the need to block individual IPs.

Details

Sergio Albea profile picture

Sergio Albea

Released: July 15, 2024

Tables

IdentityLogonEvents

Keywords

DefenderXDRIdentityLogonEventsISPLocationIPAddressAccountDomainLogonTypeFailureReason

Operators

whereagoextendiifcontainsinprojectorder by

Actions