IPSum suspicious and/or malicious IP addresses (Level 6)
TI Feed MISP IP Sum Level 6
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
IPSum suspicious and/or malicious IP addresses (Level 6)
Source: IPSum
Feed information: https://github.com/stamparm/ipsum/
Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify and provide information about network events involving suspicious or malicious IP addresses. Here's a simple breakdown of what the query does:
-
Threat Intelligence Feed: The query pulls a list of potentially malicious IP addresses from an external source, specifically from a file hosted on GitHub. This file contains IP addresses categorized as Level 6 threats by the IPSum project.
-
IP Address Extraction: It uses a regular expression to extract valid IP addresses from the feed. This ensures that only properly formatted IP addresses are considered.
-
Distinct Malicious IPs: The query then creates a distinct list of these IP addresses to avoid duplicates.
-
Network Events Filtering: The query checks network events recorded in the
DeviceNetworkEventstable to see if any of the remote IPs involved in these events match the list of malicious IPs. -
Geolocation Information: For each matching network event, the query retrieves geolocation information based on the IP address. This includes the country, state, city, latitude, and longitude.
-
Data Presentation: Finally, the query organizes the results to show specific details about each event, such as the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.
The main difference between the Defender XDR and Sentinel versions of the query is the field used for the timestamp (Timestamp vs. TimeGenerated), which may relate to differences in the schema or naming conventions between the two systems.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators