Query Details

Visualizing Fortigate’s CVE-2022-40684 Belsen Group leaked affected IPs

Visualizing Fortigate Cve 2022 40684 Belsen Group Leaked Affected Ips

Query

let RawFortiGateIPs = externaldata (RawFortiGateIPs: string) 
    [h"https://raw.githubusercontent.com/arsolutioner/fortigate-belsen-leak/main/affected_ips.txt"]
    with (format="txt");
RawFortiGateIPs
| extend FortiGateIPs = extract(@"^(?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
        1, RawFortiGateIPs)
| where isnotempty(FortiGateIPs)
| extend IPInfo = geo_info_from_ip_address(FortiGateIPs)
| where isnotempty(IPInfo)
| extend Countries = tostring(parse_json(IPInfo).country),
         BeginLon = toreal(parse_json(IPInfo).longitude),
         BeginLat = toreal(parse_json(IPInfo).latitude)
| where isnotempty(BeginLon) and isnotempty(BeginLat)
| where Countries has "Greece" // Define the country of interest
| project BeginLon, BeginLat
| render scatterchart with (kind = map)

About this query

Explanation

This KQL (Kusto Query Language) script is designed to visualize IP addresses affected by the Fortigate CVE-2022-40684 vulnerability, which were leaked by the Belsen Group. The script uses Azure Data Explorer to plot these IPs on a map. Here's a breakdown of what each part of the script does:

  1. Data Source: The script fetches a list of affected IP addresses from a text file hosted on GitHub.

  2. Extracting IP Addresses: It uses a regular expression to extract valid IP addresses from the raw data.

  3. Geolocation Information: For each extracted IP address, the script retrieves geolocation information, including longitude and latitude.

  4. Filtering Valid Geolocations: It ensures that only IPs with valid geolocation data (longitude and latitude) are considered.

  5. Visualization:

    • The first query visualizes all affected IPs on a map using a scatter chart.
    • The second query filters these IPs to only show those located in Greece before plotting them on the map.
  6. Versioning: The script includes a versioning table indicating that this is the initial version, published on January 17, 2025. In summary, this script is a learning tool to visualize the geographical distribution of IP addresses affected by a specific Fortigate vulnerability, with an option to focus on a particular country.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: January 17, 2025

Tables

RawFortiGateIPs

Keywords

IPsCountryMapGeo

Operators

letexternaldatawithextendextractwhereisnotemptygeo_info_from_ip_addresstorealparse_jsonprojectrendertostringhas

Actions

GitHub