KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Threatviewio IP High Confidence Feed

Query

# Threatview IP High Confidence Feed

#### Source: Threatview
#### Feed information: https://threatview.io/
#### Feed link: https://threatview.io/Downloads/IP-High-Confidence-Feed.txt

### Defender For Endpoint
```KQL
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://threatview.io/Downloads/IP-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```


### Sentinel
```KQL
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://threatview.io/Downloads/IP-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
```

Explanation

This query retrieves a list of malicious IP addresses from Threatview's high confidence feed and then looks for any network events in Defender for Endpoint or Sentinel that involve these malicious IPs. It then adds geographical information to the events and projects specific fields for analysis.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: May 10, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeed,DestIP,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,TimeGenerated,DeviceName,RemotePort,InitiatingProcessAccountName

Operators

externaldatawithformatignoreFirstRecordregexdistinctwhereinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions