KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed MISP IP Sum Level 8

Query

# IPSum suspicious and/or malicious IP addresses (Level 8)

#### Source: IPSum
#### Feed information: https://github.com/stamparm/ipsum/
#### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt

### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```


### Sentinel
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

The query retrieves suspicious and/or malicious IP addresses from the IPSum threat intelligence feed (Level 8). It then uses these IP addresses to filter the DeviceNetworkEvents data and extract additional information such as geolocation. The final result includes the timestamp (or time generated in Sentinel), device name, remote IP address, remote port, and initiating process account name.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

ThreatIntelFeedDeviceNetworkEvents

Keywords

Devices,Intune,User,IPSum,DefenderForEndpoint,Sentinel,ThreatIntelFeed,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,DeviceName,RemotePort,InitiatingProcessAccountName,TimeGenerated

Operators

externaldatawithletformatignoreFirstRecordmaterializewherematches regexdistinctinextendgeo_info_from_ip_addressparse_jsonproject-reorder

Actions