Visualizing Fortigate’s CVE-2022-40684 Belsen Group leaked affected IPs
Visualizing Fortigate Cve 2022 40684 Belsen Group Leaked Affected Ips
Query
let RawFortiGateIPs = externaldata (RawFortiGateIPs: string)
[h"https://raw.githubusercontent.com/arsolutioner/fortigate-belsen-leak/main/affected_ips.txt"]
with (format="txt");
RawFortiGateIPs
| extend FortiGateIPs = extract(@"^(?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
1, RawFortiGateIPs)
| where isnotempty(FortiGateIPs)
| extend IPInfo = geo_info_from_ip_address(FortiGateIPs)
| where isnotempty(IPInfo)
| extend Countries = tostring(parse_json(IPInfo).country),
BeginLon = toreal(parse_json(IPInfo).longitude),
BeginLat = toreal(parse_json(IPInfo).latitude)
| where isnotempty(BeginLon) and isnotempty(BeginLat)
| where Countries has "Greece" // Define the country of interest
| project BeginLon, BeginLat
| render scatterchart with (kind = map)About this query
Explanation
This KQL (Kusto Query Language) script is designed to visualize IP addresses affected by the Fortigate CVE-2022-40684 vulnerability, which were leaked by the Belsen Group. The script uses Azure Data Explorer to plot these IPs on a map. Here's a breakdown of what each part of the script does:
-
Data Source: The script fetches a list of affected IP addresses from a text file hosted on GitHub.
-
Extracting IP Addresses: It uses a regular expression to extract valid IP addresses from the raw data.
-
Geolocation Information: For each extracted IP address, the script retrieves geolocation information, including longitude and latitude.
-
Filtering Valid Geolocations: It ensures that only IPs with valid geolocation data (longitude and latitude) are considered.
-
Visualization:
- The first query visualizes all affected IPs on a map using a scatter chart.
- The second query filters these IPs to only show those located in Greece before plotting them on the map.
-
Versioning: The script includes a versioning table indicating that this is the initial version, published on January 17, 2025. In summary, this script is a learning tool to visualize the geographical distribution of IP addresses affected by a specific Fortigate vulnerability, with an option to focus on a particular country.
Details

Michalis Michalos
Released: January 17, 2025
Tables
Keywords
Operators