Query Details

IPSum suspicious and/or malicious IP addresses (Level 4)

TI Feed MISP IP Sum Level 4

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

IPSum suspicious and/or malicious IP addresses (Level 4)

Source: IPSum

Feed information: https://github.com/stamparm/ipsum/

Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt

Defender XDR

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify network events involving suspicious or malicious IP addresses using data from the IPSum threat intelligence feed. Here's a simplified breakdown of what the query does:

  1. Fetch Threat Intelligence Data: It retrieves a list of potentially malicious IP addresses from an external source (IPSum Level 4 feed).

  2. Filter Valid IP Addresses: It uses a regular expression to ensure that only valid IP addresses are considered from the feed.

  3. Identify Malicious IPs: It creates a distinct list of these valid IP addresses, which are considered potentially malicious.

  4. Analyze Network Events: It checks network events (from DeviceNetworkEvents) to see if any of these events involve the identified malicious IP addresses.

  5. Geolocation Information: For each network event involving a malicious IP, it retrieves geolocation information, such as country, state, city, latitude, and longitude.

  6. Organize Output: Finally, it organizes the output to display relevant details like the timestamp, device name, remote IP, remote port, and the account name of the process initiating the connection.

The query is essentially the same for both Defender XDR and Sentinel, with a minor difference in the field name for the timestamp (Timestamp vs. TimeGenerated).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDestIPDeviceNetworkEventsRemoteIPGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmatchesregexdistinctmaterializewhereinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub