IPSum suspicious and/or malicious IP addresses (Level 8)
TI Feed MISP IP Sum Level 8
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
IPSum suspicious and/or malicious IP addresses (Level 8)
Source: IPSum
Feed information: https://github.com/stamparm/ipsum/
Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify and provide information about network events involving suspicious or malicious IP addresses. Here's a simplified explanation of what the query does:
-
Data Source: It uses an external data source, IPSum, which is a list of suspicious and/or malicious IP addresses. The specific list being used is "Level 8" from the IPSum feed.
-
IP Extraction: The query extracts IP addresses from the feed using a regular expression that matches standard IPv4 address formats.
-
Distinct IPs: It ensures that only unique IP addresses from the feed are considered.
-
Network Events Filtering: The query then checks network events (from
DeviceNetworkEvents) to see if any of the remote IP addresses involved in these events match the malicious IPs identified from the feed. -
Geolocation Information: For each matching network event, the query retrieves geolocation information based on the IP address. This includes the country, state, city, latitude, and longitude.
-
Output: Finally, the query organizes the output to show relevant details such as the timestamp of the event, the device name, the remote IP and port involved, and the account name of the process that initiated the connection.
The query is structured similarly for both Defender XDR and Sentinel, with a slight difference in the naming of the timestamp field (Timestamp for Defender XDR and TimeGenerated for Sentinel).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators