KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Abuse CHIP Blacklist Feed

Query

# Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections

#### Source: Abuse.ch
#### Feed link: https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     ThreatIntelFeed
     | where DestIP matches regex IPRegex
     | distinct DestIP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```


### Sentinel
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     ThreatIntelFeed
     | where DestIP matches regex IPRegex
     | distinct DestIP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```

Explanation

The query retrieves a list of malicious IP addresses from the Abuse.ch Botnet C2 IP Blacklist. It then filters network events based on whether the remote IP address is in the list of malicious IPs. The query also enriches the data by adding geographical information (country, state, city, latitude, longitude) for each IP address.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User,KQL,ThreatIntelFeed,externaldata,DestIP,format,ignoreFirstRecord,IPRegex,MaliciousIP,materialize,matches,regex,distinct,DeviceNetworkEvents,RemoteIP,GeoIPInfo,geo_info_from_ip_address,country,state,city,latitude,longitude,parse_json

Operators

externaldatawithformatignoreFirstRecordletstringmatches regexdistinctwhereinextendgeo_info_from_ip_addresstostringparse_json

Actions