Query Details

IPSum suspicious and/or malicious IP addresses (Level 6)

TI Feed MISP IP Sum Level 6

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

IPSum suspicious and/or malicious IP addresses (Level 6)

Source: IPSum

Feed information: https://github.com/stamparm/ipsum/

Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt

Defender XDR

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify and provide information about network events involving suspicious or malicious IP addresses. Here's a simple breakdown of what the query does:

  1. Threat Intelligence Feed: The query pulls a list of potentially malicious IP addresses from an external source, specifically from a file hosted on GitHub. This file contains IP addresses categorized as Level 6 threats by the IPSum project.

  2. IP Address Extraction: It uses a regular expression to extract valid IP addresses from the feed. This ensures that only properly formatted IP addresses are considered.

  3. Distinct Malicious IPs: The query then creates a distinct list of these IP addresses to avoid duplicates.

  4. Network Events Filtering: The query checks network events recorded in the DeviceNetworkEvents table to see if any of the remote IPs involved in these events match the list of malicious IPs.

  5. Geolocation Information: For each matching network event, the query retrieves geolocation information based on the IP address. This includes the country, state, city, latitude, and longitude.

  6. Data Presentation: Finally, the query organizes the results to show specific details about each event, such as the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.

The main difference between the Defender XDR and Sentinel versions of the query is the field used for the timestamp (Timestamp vs. TimeGenerated), which may relate to differences in the schema or naming conventions between the two systems.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDestIPMaliciousIPDeviceNetworkEventsRemoteIPGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmatchesregexmaterializewheredistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub