Query Details

IPSum suspicious and/or malicious IP addresses (Level 7)

TI Feed MISP IP Sum Level 7

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

IPSum suspicious and/or malicious IP addresses (Level 7)

Source: IPSum

Feed information: https://github.com/stamparm/ipsum/

Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt

Defender XDR

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify and analyze network events involving suspicious or malicious IP addresses using data from the IPSum threat intelligence feed. Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls a list of potentially malicious IP addresses from an external source (IPSum Level 7 feed) available at a specified URL.

  2. IP Address Extraction: It uses a regular expression to extract valid IP addresses from the feed.

  3. Distinct Malicious IPs: It creates a list of unique malicious IP addresses from the feed.

  4. Network Events Filtering: It checks network events recorded in the DeviceNetworkEvents table to see if any of the remote IPs involved in these events match the malicious IPs identified earlier.

  5. Geolocation Information: For each matching network event, it retrieves geolocation information (country, state, city, latitude, and longitude) based on the remote IP address.

  6. Data Presentation: Finally, it organizes and presents the relevant information, including the timestamp, device name, remote IP, remote port, and the account name of the process that initiated the connection.

The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the naming of the timestamp field (Timestamp vs. TimeGenerated).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDestIPMaliciousIPDeviceNetworkEventsRemoteIPGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmatchesregexmaterializewheredistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub