Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections
TI Feed Abuse CHIP Blacklist Feed
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)About this query
Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections
Source: Abuse.ch
Feed link: https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
Defender For Endpoint
Sentinel
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
Explanation
The query retrieves a list of malicious IP addresses from the Abuse.ch Botnet C2 IP Blacklist. It then filters network events based on whether the remote IP address is in the list of malicious IPs. The query also enriches the data by adding geographical information (country, state, city, latitude, longitude) for each IP address.
Details

Bert-Jan Pals
Released: June 8, 2023
Tables
DeviceNetworkEvents
Keywords
DevicesIntuneUserKQLThreatIntelFeedexternaldataDestIPformatignoreFirstRecordIPRegexMaliciousIPmaterializematchesregexdistinctDeviceNetworkEventsRemoteIPGeoIPInfogeo_info_from_ip_addresscountrystatecitylatitudelongitudeparse_json
Operators
externaldatawithformatignoreFirstRecordletstringmatches regexdistinctwhereinextendgeo_info_from_ip_addresstostringparse_json