KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed C2IP Feed

Query

# Command & Control intel Feeds (IP Based)

#### Source: https://github.com/drb-ra
#### Feed information: https://github.com/drb-ra/C2IntelFeeds
#### Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv

### Defender For Endpoint
```
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc
```


### Sentinel
```
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc
```

Explanation

The query retrieves Command & Control (C2) intelligence feeds based on IP addresses. It uses an external data source from a GitHub repository to get the IP addresses and IOCs (Indicators of Compromise). The query then joins this data with the DeviceNetworkEvents table to find any matches between the IP addresses in the feeds and the RemoteIP field in the table. It also enriches the data by extracting geographical information from the IP addresses. The final result includes the timestamp (or TimeGenerated in Sentinel), device name, remote IP address, remote port, remote URL, and IOC.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

C2IntelFeedsDeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

letexternaldataprojectwhereinjoinonextendgeo_info_from_ip_addresstostringparse_jsonTimeGenerated

Actions