IPSum suspicious and/or malicious IP addresses (Level 5)
TI Feed MISP IP Sum Level 5
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
IPSum suspicious and/or malicious IP addresses (Level 5)
Source: IPSum
Feed information: https://github.com/stamparm/ipsum/
Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify and provide information about network events involving suspicious or malicious IP addresses. Here's a simplified breakdown of what the query does:
-
Data Source: It uses an external data source, specifically a list of suspicious or malicious IP addresses from a GitHub repository (IPSum Level 5).
-
IP Extraction: The query extracts valid IP addresses from this list using a regular expression that matches the standard IP address format.
-
Malicious IP List: It creates a distinct list of these extracted IP addresses, which are considered potentially malicious.
-
Network Events Filtering: The query then looks at network events recorded in the
DeviceNetworkEventstable and filters these events to only include those where theRemoteIPmatches one of the IPs in the malicious list. -
Geolocation Information: For each of these filtered events, it retrieves geolocation information based on the IP address, including country, state, city, latitude, and longitude.
-
Output: Finally, it organizes the output to display specific details about each event, such as the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.
The query is structured similarly for both Defender XDR and Sentinel, with a slight difference in the timestamp field name (Timestamp for Defender XDR and TimeGenerated for Sentinel).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators