DigitalSide Threat-Intel suspicious and/or malicious IP addresses
TI Feed Digital Side I Ps
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
DigitalSide Threat-Intel suspicious and/or malicious IP addresses
Source: DigitalSide Threat-Intel
Feed information: https://osint.digitalside.it/
Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestips.txt
Defender XDR
Sentinel
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Explanation
This query is designed to identify suspicious or malicious IP addresses from a threat intelligence feed and correlate them with network events on devices. Here's a simplified breakdown of what each part of the query does:
-
Threat Intelligence Feed Import:
- The query starts by importing a list of potentially malicious IP addresses from an external source, specifically from DigitalSide Threat-Intel. This list is accessed via a URL and is formatted as a text file.
-
IP Address Extraction:
- A regular expression (
IPRegex) is defined to match valid IP addresses. The query filters the imported data to extract only those entries that match this IP address pattern.
- A regular expression (
-
Distinct Malicious IPs:
- The query creates a distinct list of these IP addresses, ensuring that each IP is unique in the list of potential threats.
-
Device Network Events Correlation:
- The query then looks at network events on devices (from
DeviceNetworkEvents) and checks if any of the remote IP addresses involved in these events match the list of malicious IPs.
- The query then looks at network events on devices (from
-
Geolocation Information:
- For each matching network event, the query retrieves geolocation information based on the IP address. This includes the country, state, city, latitude, and longitude of the IP address.
-
Result Projection:
- Finally, the query organizes the results to show specific details: the timestamp of the event, the device name, the remote IP address and port, and the account name of the process that initiated the connection.
The query is structured to work with both Defender XDR and Sentinel, with a slight difference in the timestamp field name (Timestamp for Defender XDR and TimeGenerated for Sentinel). This allows security analysts to monitor and investigate potentially harmful network activities by correlating them with known threat intelligence data.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators