Query Details

IPSum suspicious and/or malicious IP addresses (Level 5)

TI Feed MISP IP Sum Level 5

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

IPSum suspicious and/or malicious IP addresses (Level 5)

Source: IPSum

Feed information: https://github.com/stamparm/ipsum/

Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt

Defender XDR

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify and provide information about network events involving suspicious or malicious IP addresses. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses an external data source, specifically a list of suspicious or malicious IP addresses from a GitHub repository (IPSum Level 5).

  2. IP Extraction: The query extracts valid IP addresses from this list using a regular expression that matches the standard IP address format.

  3. Malicious IP List: It creates a distinct list of these extracted IP addresses, which are considered potentially malicious.

  4. Network Events Filtering: The query then looks at network events recorded in the DeviceNetworkEvents table and filters these events to only include those where the RemoteIP matches one of the IPs in the malicious list.

  5. Geolocation Information: For each of these filtered events, it retrieves geolocation information based on the IP address, including country, state, city, latitude, and longitude.

  6. Output: Finally, it organizes the output to display specific details about each event, such as the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.

The query is structured similarly for both Defender XDR and Sentinel, with a slight difference in the timestamp field name (Timestamp for Defender XDR and TimeGenerated for Sentinel).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedMaliciousIPDeviceNetworkEventsGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemoteIPRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmatchesregexmaterializewheredistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub