Query Details

Threatview IP High Confidence Feed

TI Feed Threatviewio IP High Confidence Feed

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://threatview.io/Downloads/IP-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

Threatview IP High Confidence Feed

Source: Threatview

Feed information: https://threatview.io/

Feed link: https://threatview.io/Downloads/IP-High-Confidence-Feed.txt

Defender XDR

Sentinel

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://threatview.io/Downloads/IP-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Explanation

This query is designed to identify potentially malicious network activity by comparing IP addresses from a threat intelligence feed with network events recorded by a security system. Here's a simplified breakdown of what the query does:

  1. Load Threat Intelligence Feed: It retrieves a list of IP addresses from an external source (Threatview's High Confidence IP Feed) that are considered potentially malicious.

  2. Filter Valid IP Addresses: It uses a regular expression to ensure that only valid IP addresses are considered from the feed.

  3. Identify Malicious IPs: It creates a distinct list of these valid IP addresses, which are considered potentially malicious.

  4. Compare with Network Events: It checks the network events recorded by the security system (either Defender XDR or Sentinel) to see if any of the remote IP addresses match those in the malicious IP list.

  5. Geolocation Information: For any matching IP addresses, it retrieves geolocation information, such as country, state, city, latitude, and longitude.

  6. Output Relevant Information: Finally, it organizes and outputs relevant details about these network events, including the timestamp, device name, remote IP, remote port, and the account name of the initiating process.

The main difference between the Defender XDR and Sentinel queries is the field name used for the timestamp (Timestamp vs. TimeGenerated), which reflects slight variations in the schema of the two systems.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDestIPMaliciousIPDeviceNetworkEventsRemoteIPGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmatchesregexdistinctmaterializewhereinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub