Command & Control intel Feeds (IP Based)
TI Feed C2IP Feed
Query
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join kind=inner C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, iocAbout this query
Command & Control intel Feeds (IP Based)
Source: https://github.com/drb-ra
Feed information: https://github.com/drb-ra/C2IntelFeeds
Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv
Defender XDR
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join kind=inner C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc
Sentinel
Explanation
This query is designed to identify and provide information about network events involving IP addresses associated with Command & Control (C2) threats. Here's a simple breakdown of what the query does:
-
Data Source: It uses an external data source, specifically a CSV file hosted on GitHub, which contains a list of IP addresses known to be associated with C2 threats.
-
Data Extraction: The query extracts IP addresses and associated indicators of compromise (IOC) from this CSV file.
-
Event Filtering: It then filters network events from a dataset (
DeviceNetworkEvents) to find those where the remote IP address matches any of the IPs from the C2 threat list. -
Data Joining: The query joins the filtered network events with the C2 threat data to enrich the event data with threat intelligence.
-
Geolocation Information: For each matching network event, it retrieves geolocation information based on the remote IP address, including country, state, city, latitude, and longitude.
-
Result Projection: Finally, it selects and displays specific fields from the enriched data, such as the timestamp of the event, device name, remote IP address, remote port, remote URL, and the IOC.
The query is structured to work with two different systems, Defender XDR and Sentinel, with slight variations in the field names for timestamps (Timestamp for Defender XDR and TimeGenerated for Sentinel). The purpose is to monitor and analyze potential security threats by identifying network communications with known malicious IPs.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators