IPSum suspicious and/or malicious IP addresses (Level 7)
TI Feed MISP IP Sum Level 7
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
IPSum suspicious and/or malicious IP addresses (Level 7)
Source: IPSum
Feed information: https://github.com/stamparm/ipsum/
Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify and analyze network events involving suspicious or malicious IP addresses using data from the IPSum threat intelligence feed. Here's a simplified breakdown of what the query does:
-
Data Source: It pulls a list of potentially malicious IP addresses from an external source (IPSum Level 7 feed) available at a specified URL.
-
IP Address Extraction: It uses a regular expression to extract valid IP addresses from the feed.
-
Distinct Malicious IPs: It creates a list of unique malicious IP addresses from the feed.
-
Network Events Filtering: It checks network events recorded in the
DeviceNetworkEventstable to see if any of the remote IPs involved in these events match the malicious IPs identified earlier. -
Geolocation Information: For each matching network event, it retrieves geolocation information (country, state, city, latitude, and longitude) based on the remote IP address.
-
Data Presentation: Finally, it organizes and presents the relevant information, including the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.
The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the naming of the timestamp field (Timestamp vs. TimeGenerated).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators