KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed MISP IP Sum Level 4

Query

# IPSum suspicious and/or malicious IP addresses (Level 4)

#### Source: IPSum
#### Feed information: https://github.com/stamparm/ipsum/
#### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt

### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```


### Sentinel
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

The query retrieves suspicious and/or malicious IP addresses from the IPSum feed (Level 4) and uses them to filter DeviceNetworkEvents data. It then enriches the data with geographical information and projects specific columns for analysis.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

ThreatIntelFeedDeviceNetworkEvents

Keywords

Devices,Intune,User,IPSum,DefenderForEndpoint,Sentinel,ThreatIntelFeed,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,DeviceName,RemotePort,InitiatingProcessAccountName,TimeGenerated

Operators

externaldatawithletformatignoreFirstRecordmaterializewherematches regexdistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions