Query Details

Command & Control intel Feeds (IP Based)

TI Feed C2IP Feed

Query

let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join kind=inner C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc

About this query

Command & Control intel Feeds (IP Based)

Source: https://github.com/drb-ra

Feed information: https://github.com/drb-ra/C2IntelFeeds

Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv

Defender XDR

let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join kind=inner C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc

Sentinel

Explanation

This query is designed to identify and provide information about network events involving IP addresses associated with Command & Control (C2) threats. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external data source, specifically a CSV file hosted on GitHub, which contains a list of IP addresses known to be associated with C2 threats.

  2. Data Extraction: The query extracts IP addresses and associated indicators of compromise (IOC) from this CSV file.

  3. Event Filtering: It then filters network events from a dataset (DeviceNetworkEvents) to find those where the remote IP address matches any of the IPs from the C2 threat list.

  4. Data Joining: The query joins the filtered network events with the C2 threat data to enrich the event data with threat intelligence.

  5. Geolocation Information: For each matching network event, it retrieves geolocation information based on the remote IP address, including country, state, city, latitude, and longitude.

  6. Result Projection: Finally, it selects and displays specific fields from the enriched data, such as the timestamp of the event, device name, remote IP address, remote port, remote URL, and the IOC.

The query is structured to work with two different systems, Defender XDR and Sentinel, with slight variations in the field names for timestamps (Timestamp for Defender XDR and TimeGenerated for Sentinel). The purpose is to monitor and analyze potential security threats by identifying network communications with known malicious IPs.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceNetworkEvents

Keywords

CommandControlIntelFeedsIPBasedDeviceNetworkEventsGeoIPInfoCountryStateCityLatitudeLongitudeTimestampNameRemotePortUrlIOCTimeGenerated

Operators

letexternaldatawithprojectinjoinonextendtostringparse_jsongeo_info_from_ip_addresswhere

Actions

GitHub