Query Details
TI Feed Monty Security C2 Tracker All I Ps
Query
# MontySecurity C2 Tracker All IPs
#### Source: MontySecurity
#### Feed information: https://github.com/montysecurity/C2-Tracker
#### Feed link: https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt
### Defender For Endpoint
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```
### Sentinel
```
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```
Explanation
The query retrieves information about malicious IP addresses from the MontySecurity C2 Tracker feed and uses it to identify any network events in Defender for Endpoint or Sentinel that involve these malicious IPs. It then enriches the data with geographical information and projects specific fields for analysis.
Details
Bert-Jan Pals
Released: October 2, 2023
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User,KQL,ThreatIntelFeed,DestIP,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,DeviceName,RemotePort,InitiatingProcessAccountName,TimeGenerated
Operators
externaldatawithletformatignoreFirstRecordmaterializewherematches regexdistinctextendgeo_info_from_ip_addresstostringparse_jsonproject-reorderTimestampDeviceNameRemoteIPRemotePortInitiatingProcessAccountNameTimeGenerated