KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Digital Side I Ps

Query

# DigitalSide Threat-Intel suspicious and/or malicious IP addresses

#### Source: DigitalSide Threat-Intel
#### Feed information: https://osint.digitalside.it/
#### Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestips.txt

### Defender For Endpoint
```KQL
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

### Sentinel
```KQL
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

The query retrieves suspicious and/or malicious IP addresses from the DigitalSide Threat-Intel feed. It then filters network events to only include those with remote IP addresses that match the malicious IP addresses. The query also adds geographical information to the events using the GeoIPInfo function. The final result includes the timestamp, device name, remote IP address, remote port, and initiating process account name.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 5, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User,KQL,Threat-Intel,IP,DefenderForEndpoint,Sentinel,RemoteIP,RemotePort,InitiatingProcessAccountName,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,DeviceName,TimeGenerated

Operators

externaldatawithletmaterializewherematches regexdistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions