C2intel Feeds I Ps
Query
Tags:
Query:
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemoteIP in ((externaldata(IP: string ) [@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"]
with (format=csv, ignoreFirstRecord=true) | distinct IP
))
| where InitiatingProcessFileName !in ("Google Chrome Helper","chrome.exe","firefox.exe","msedge.exe","opera.exe")
References:Explanation
Sure! Here's a simple summary of the query:
- Source Table: The query is looking at data from the
DeviceNetworkEventstable. - Filter for Public IPs: It filters the events to only include those where the
RemoteIPTypeis "Public". - Check Against External List: It then checks if the
RemoteIPis in a list of IP addresses from an external CSV file hosted on GitHub. This file contains potentially malicious IP addresses. - Exclude Certain Processes: Finally, it excludes events where the initiating process is one of several common web browsers (like Chrome, Firefox, Edge, and Opera).
In essence, this query identifies network events involving public IP addresses that match a list of suspicious IPs, but it ignores events initiated by common web browsers.
Details

Ali Hussein
Released: September 13, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteIPTypeExternalDataInitiatingProcessFileName
Operators
DeviceNetworkEvents|where==inexternaldata(:string)[@withformat=csvignoreFirstRecordtruedistinct!in