KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed MISP IP Sum Level 6

Query

# IPSum suspicious and/or malicious IP addresses (Level 6)

#### Source: IPSum
#### Feed information: https://github.com/stamparm/ipsum/
#### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt

### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```


### Sentinel
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

The query retrieves suspicious and/or malicious IP addresses from the IPSum threat intelligence feed (Level 6). It then uses these IP addresses to filter DeviceNetworkEvents data and retrieve additional information such as geolocation. The final result includes the timestamp, device name, remote IP address, remote port, and initiating process account name.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User,IPSum,DefenderForEndpoint,Sentinel,ThreatIntelFeed,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,DeviceName,RemotePort,InitiatingProcessAccountName,TimeGenerated

Operators

externaldatawithletformatignoreFirstRecordmaterializewherematches regexdistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions