Query Details
Visualizing Fortigate Cve 2022 40684 Belsen Group Leaked Affected Ips
Query
# Visualizing Fortigate’s CVE-2022-40684 Belsen Group leaked affected IPs
# Description
The following queries have been built mostly for learning purposes based on the IPs leaked by Belsen Group as reported at [this](https://github.com/arsolutioner/fortigate-belsen-leak) repository.
# Visualizing Fortigate’s CVE-2022-40684 Belsen Group leaked affected IPs with points on map
### Azure Data Explorer
```
let RawFortiGateIPs = externaldata (RawFortiGateIPs: string)
[h"https://raw.githubusercontent.com/arsolutioner/fortigate-belsen-leak/main/affected_ips.txt"]
with (format="txt");
RawFortiGateIPs
| extend FortiGateIPs = extract(@"^(?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
1, RawFortiGateIPs)
| where isnotempty(FortiGateIPs)
| extend IPInfo = geo_info_from_ip_address(FortiGateIPs)
| where isnotempty(IPInfo)
| extend BeginLon = toreal(parse_json(IPInfo).longitude),
BeginLat = toreal(parse_json(IPInfo).latitude)
| where isnotempty(BeginLon) and isnotempty(BeginLat)
| project BeginLon, BeginLat
| render scatterchart with (kind = map)
```
# Visualizing Fortigate’s CVE-2022-40684 Belsen Group leaked affected IPs with points on map based on specific Country
### Azure Data Explorer
```
let RawFortiGateIPs = externaldata (RawFortiGateIPs: string)
[h"https://raw.githubusercontent.com/arsolutioner/fortigate-belsen-leak/main/affected_ips.txt"]
with (format="txt");
RawFortiGateIPs
| extend FortiGateIPs = extract(@"^(?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
1, RawFortiGateIPs)
| where isnotempty(FortiGateIPs)
| extend IPInfo = geo_info_from_ip_address(FortiGateIPs)
| where isnotempty(IPInfo)
| extend Countries = tostring(parse_json(IPInfo).country),
BeginLon = toreal(parse_json(IPInfo).longitude),
BeginLat = toreal(parse_json(IPInfo).latitude)
| where isnotempty(BeginLon) and isnotempty(BeginLat)
| where Countries has "Greece" // Define the country of interest
| project BeginLon, BeginLat
| render scatterchart with (kind = map)
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 17/01/2025 | Initial publish |
Explanation
This KQL (Kusto Query Language) script is designed to visualize IP addresses affected by the Fortigate CVE-2022-40684 vulnerability, which were leaked by the Belsen Group. The script uses Azure Data Explorer to plot these IPs on a map. Here's a breakdown of what each part of the script does:
-
Data Source: The script fetches a list of affected IP addresses from a text file hosted on GitHub.
-
Extracting IP Addresses: It uses a regular expression to extract valid IP addresses from the raw data.
-
Geolocation Information: For each extracted IP address, the script retrieves geolocation information, including longitude and latitude.
-
Filtering Valid Geolocations: It ensures that only IPs with valid geolocation data (longitude and latitude) are considered.
-
Visualization:
- The first query visualizes all affected IPs on a map using a scatter chart.
- The second query filters these IPs to only show those located in Greece before plotting them on the map.
-
Versioning: The script includes a versioning table indicating that this is the initial version, published on January 17, 2025. In summary, this script is a learning tool to visualize the geographical distribution of IP addresses affected by a specific Fortigate vulnerability, with an option to focus on a particular country.
Details
Michalis Michalos
Released: January 17, 2025
Tables
Keywords
Operators