Query Details
TI User Risk Event IP In Firehol I Pset List
Query
//This query checks for malicious IP addresses in IdentityRiskEvents and correlates with recent logins
//Includes CIDR/ISP info, user agent details, risk state and identifies Tor nodes
let timeframe = 24h;
let ip_regex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let threat_intel_feed = externaldata(DestIP: string)
[@'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset']
with (format='txt', ignoreFirstRecord=true);
let tor_nodes = materialize(externaldata(NodeIP: string)
[@'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/tor_exits.ipset']
with (format='txt', ignoreFirstRecord=true)
| distinct NodeIP);
let malicious_ips = materialize(
threat_intel_feed
| where DestIP matches regex ip_regex
| distinct DestIP
);
AADUserRiskEvents
| where TimeGenerated > ago(timeframe)
| evaluate ipv4_lookup(malicious_ips, IpAddress, DestIP, return_unmatched=false)
| extend CIDR = Location.countryOrRegion, UserPrincipalName = tolower(UserPrincipalName)
| join kind=inner (IdentityLogonEvents
| summarize arg_max(TimeGenerated, *) by IPAddress)
on $left.IpAddress == $right.IPAddress
| extend
UserAgent = iff(AdditionalInfo[0].Key == 'userAgent', tostring(AdditionalInfo[0].Value), 'None'),
CloudService = tostring(AdditionalFields.['ARG.CLOUD_SERVICE']),
CIDR = iff(IpAddress in(tor_nodes), strcat(CIDR, ' | Tor node'), CIDR)
| project
TimeGenerated,
UserDisplayName,
UserPrincipalName,
RiskEventType,
RiskDetail,
IpAddress,
CIDR,
ISP,
DeviceType,
OSPlatform,
UserAgent,
CloudService,
Application,
LogonType,
ActionType,
RiskLevel,
RiskState,
DetectionTimingType,
Source,
Location,
AdditionalInfo,
Type
| sort by TimeGenerated desc Explanation
This query is designed to identify potentially malicious IP addresses involved in recent login activities by analyzing data from two sources: IdentityRiskEvents and IdentityLogonEvents. Here's a simplified breakdown of what the query does:
-
Timeframe: It focuses on events from the last 24 hours.
-
Threat Intelligence: It retrieves a list of known malicious IP addresses from an external threat intelligence feed.
-
Tor Nodes: It also fetches a list of IP addresses associated with Tor exit nodes.
-
Malicious IPs: It filters and identifies distinct malicious IP addresses from the threat intelligence feed.
-
Risk Events: It examines user risk events that occurred within the specified timeframe and checks if any of the IP addresses involved match the malicious IPs.
-
Logon Events Correlation: It correlates these risk events with recent login events to gather additional context.
-
Additional Details: For each matched event, it extracts and extends information such as:
- CIDR/ISP information
- User agent details
- Whether the IP is a Tor node
- Various user and event attributes like risk state, device type, and cloud service used.
-
Output: The query projects relevant details and sorts the results by the time the event was generated, in descending order.
In essence, this query helps security analysts identify and investigate suspicious login activities by correlating them with known malicious IP addresses and additional contextual information.
Details
Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators